“Ahhhh! Why can’t our users remember their darn passwords?! If I have to change another password I’m gonna lose it! I didn’t go to college so I could be a password baby-sitter!”
This could very well have been you or one of your helpdesk team members. Not only is it frustrating for both the end user and IT professionals, but having too many service desk calls related to password changes is expensive to the IT department and impacts productivity in other areas of your group as well as morale. Everyone is looking to reduce password related service desk calls for one reason or another.
Let’s consider some remedies:
- Eliminate the password and allow anyone access at any time.
- Write the password on a sticky note and keep it under the keyboard.
- Make passwords easier to guess by using your name, your kids and pet’s names too.
- Put the power of the password change back into the end users wheel house.
I hope it’s obvious that the first three options were written more for your enjoyment and should not be implemented. The 4th idea however has tremendous merit.
To reduce password related service desk calls, simply give your end-users the ability to reset their own password. Self-service Password Reset (SSPR) gives your users the freedom of being able to reset their own password should they forget the current one. To make the reset secure, knowledge of something that only that user has or knows should be used as an alternate means of authentication (because the password has been forgotten). Some options for alternate authentication are Security Challenge Questions and One-time Passwords (OTPs) delivered a number of ways.
SECURITY CHALLENGE QUESTIONS:
During an initial enrollment period, your user is given the opportunity to pick from a list of questions and “enroll” their answers to the questions. Once enrolled, should the password be forgotten, by navigating to your SSPR web site, the user can initiate the resetting of their own password by correctly answering the questions as they were recorded during the enrollment. The benefit to Security Challenge Questions is that an additional device for receiving an OTP is not needed to be carried around all the time while the downside is that the answers to the questions must be remembered – if passwords can be forgotten, so can security question answers.
A variety of methods exist for delivering OTPs to users stranded without the knowledge of their passwords. The idea being that the delivered OTP will verify who they are and allow them to then reset their password. The more popular ways of receiving OTPs is through a text message to a cell phone or even an app running on a cell phone that generates its own OTPs. Both methods require the enrollment of the cell phone number and/or application with the http://www.portalguard.com/self-service-password-reset.htmlSSPR server before it will be considered secure. The advantage to the OTP method is no string of digits and/or characters need to be remembered. Users merely have to remember to carry their phone with them. People are much more likely to forget their password than leave their phone behind. The disadvantage to the OTP method is of course that the phone must always be in possession.
If you are looking to reduce password related helpdesk calls you may want to consider empowering your end-users with an SSPR solution. They will be very appreciative of it and if they aren’t, the IT support team certainly will.