Self-service password reset (SSPR) is the process by which a user is able to reset a forgotten password through his or her own efforts, without the need to involve a third party (such as the local Help Desk).
NOTE: Self-service password recovery is similar, but the goal is to obtain the current password without changing it.
In order to achieve either of the above noted functionalities, the user can be authenticated using various methods.
Most tools use challenge questions and answers as an acceptable means of authentication. While still a valid choice today, associated security threats - including easily guessed answers or information that is readily available on social media - raise valid concerns. A secure solution puts additional precautions in place.
Some precautions that should be in place to help mitigate any risk inherent in password reset and recovery include:
- Requiring different answers for each question.
- Requiring a Minimum Password Length
- Requiring a larger number of answered questions (e.g.three out of six total)