What is Self-Service Password Reset (SSPR)?
Self-service password reset solutions help the service desk and business in security and productivity.
With the evolution of technology the increase in identity theft and data breaches, the cost of the service desk is going up and the demands on CISO is ever growing. Self-service password reset solutions have evolved over the years to help the service desk and ultimately the business in security and productivity.
This article takes a comprehensive look at self-service password reset applications, what they are, how they work and how they can benefit a business.
What is AD Self-Service Password Reset
Active Directory Self-service password reset is the process of and the technology that enables a user who has either forgotten their password or locked out of their account, to securely authenticate with an alternative factor and resolve their own issue by resetting their password or unlocking their account without relying on the service desk.
Since Microsoft Active Directory has cornered the market when it comes to user directories self-service password reset solutions user directory interaction is with Active Directory as standard, enabling employees the opportunity to manage passwords on this system.
The primary process is a user launches the self-service password reset portal from a web-browser or workstation login prompt. They then need to establish their identity by some other factor to their forgotten or disabled password, such as a series of challenge-response questions. Finally, if all goes well, they can set a new password, unlock their account or anything else the portal allows such as updating their Active Directory user-specific details.
15000 IT professionals report a loss of $450 million on average per company due to manual password management tasks
Benefits of Password Self-Service
Password self-service offer many benefits to business and end-users; these can be categorised as financial benefits, productivity benefits and security benefits.
Widmeyer survey reported on average an employee loses $420 per year grappling with passwords, with 37% of the 1000 people surveyed resetting their password more than 50 times per year, the losses in productivity alone can be staggering.
The recent survey by Ponemon Institute which interviewed over 15000 IT professionals report a loss of $450 million on average per company due to manual password management tasks.
When you factor in the cost of the support staff and service desk staff required, the savings from eliminating passwords alone may begin to more rapidly justify a transition.
Productivity benefits centre around speed and efficiency, rather than an employee who is locked out of their system waiting for an agent to unlock or reset their account, users are empowered to use self-service, allowing them to manage their passwords/ account with immediate results and confirmation of success. In fact, self-service password reset is often a company’s first venture into business automation. Unlike traditional methods password self-service eliminates the need for a helpdesk ticket or a phone call to the service desk and reduces the wait time to a mere few clicks of a button for the end user – introducing them to an automated and instantaneous password self-service function.
Self-service password reset eliminates the need to talk to a service provider and users have access to it regardless of the time of day, password self-service is typically available 24/7 via desktop or mobile devices; self-service password reset expedites problem resolution for users and thus reduces service desk call volume.
Additionally, self-service password reset tools offer ways for users to keep their information secure with multi-factor authentication, security questions, confirmation emails these all help users feel both in control and secure. Multi-factor authentication also adds a form of identity verification which is not available with a standalone password. Using factors as a mobile or hardware token before a user can access a password self-service portal multi-factor authentication verifies that the user is the actual owner of the password something which cannot be done with passwords alone or other authentication methods.
Self-service password reset ensures that password problems are only resolved after adequate user authentication, eliminating an important weakness of many service desks and reducing the chances of social engineering attacks and identity theft.
Password Reset Synchronization
Most self-service password reset solutions offer password synchronization enabling users to manage passwords, subject to a single security policy, across multiple systems. It is an effective method of addressing password management issues as it means users need to remember fewer passwords and can keep other systems like Google, Azure AD, Linux, LDAP secure by having passwords on these systems updated regularly. Password synchronization also reduces the number of password-related requests for help, which is the single biggest demand for service desk resources.
Password synchronisation can happen either transparently where native password changes that already take place on Active Directory are automatically propagated to other connected user directories like Azure AD, Google, OpenLDAP or, manually where the user selective chooses which passwords to reset or change.
With the introduction of Azure AD, Microsoft’s simplified cloud version of Active Directory, companies rely on an external product called AD Connect which allows any password changes performed on an on-premise local Active Directory to be synchronised to Azure AD after a password self-service reset occurs. With self-service password reset solutions like LogonBox this process is sped up and extended. Password synchronisation between a core on-premise AD is synchronised to Azure AD as the password is reset or changed by the user, without any additional components like AD Azure Connect. It also allows passwords to be synchronised to more than just Azure AD since it supports many other systems/ user directories.
How Does Self-Service Password Reset Work
When a user accesses the self-service password reset portal a workflow is initiated:
- Verify User
- Authenticate User
- Reset Password
- Notify User
The first thing that is triggered is the verification, the end-user is asked to key in their username of the primary system, typically Active Directory, and associated with the password that is being reset.
If successful, the next stage is that the user needs to authenticate to prove they are the owner of the account and thus the password in question. This requires an authentication flow to be preconfigured which can consist of a multi-step authentication flow or a more secure multi-factor authentication process or a mixture. Some solutions offer selectable authentication flows to choose from, others offer a single authentication flow.
If authentication is successful the user can now enter a new password against the security policy. This can either be the root password policy of Active Directory or if the self-service password reset solution supports it, fine-grained password policy.
In some solutions, the Active Directory password policy can be overridden to offer more stringent/ configurable password policies. These are applied locally to the password self-service application rather than natively to Active Directory as a whole.
If successful and password synchronisation is enabled the new password is propagated to all linked systems.
Once the entire password self-service process has completed the final step is the end-user is notified of the change, this can be seen as a crucial final security measure in the process. If the changes were done by a scrupulous hacker the user can inform an administrator.
SSPR Portal Registration
Before a user can self-service password reset they must have data present in the authentication methods that have been enabled. This is vital for any self-service product to operate, it is the only way it can verify that the user requesting a password reset or account unlock is the right user.
Any answer provided is compared against the stored set of data against the user’s profile, in the case of something like multi-factor authentication, the self-service product will have the end-users hardware device data stored so will send a one-time token to this registered device.
Password Change Notification
Notifications can also be extended to actually provide an alert informing each user when their password is near expiration allowing an end-user to self-service change password rather than password reset, this adds a level of security by encouraging users to frequently change password across their main and/or linked accounts as well.
There are a number of ways the password self-service process can be launched from a web browser, mobile or workstation login prompt.
SSPR Web Browser
Domain users can self-service password reset their Active Directory securely from a web-browser, whether this is their own desktop computer or using a single kiosk computer. The convenience is that a web-browser can be accessed from anywhere the downside is that this might not suit all scenarios.
SSPR Workstation Login Prompt
To increase flexibility self-service password reset software can password self-service from a workstations login prompt (Windows and Mac are the ones most commonly supported) before a user has logged in.
This does require a component that integrates with the workstation operating system, for Windows OS it interfaces with the credentials provider chain allowing for a self-service password reset and a self-service account unlock options to be shown at the login prompt.
For OSX the plugin needs to integrate with the OSX login chain to add the self-service options.
SSPR Mobile App
It is not uncommon to have employees working away from the office and in cases where they become locked out of their workstation, they need a way of resetting their password or unlocking their account without being at their workstation; a mobile app provides this convenience. Through an Android or iPhone app the user is able to manage their password and account without needing to call the service desk and not physically being at the office.
Self-service password reset helps enforce strong credential policies so you can reduce potential breaches as a result of poor password practices while at the same time increasing productivity and minimising service desk load
Self-Service Password Reset Features
The operational costs of maintaining passwords, including service desk expenses for those who forget passwords, and productivity losses because of too-many-attempts lockouts and other issues are rising. Self-service password reset helps enforce strong credential policies so you can reduce potential breaches as a result of poor password practices while at the same time increasing productivity and minimising service desk load. Typically self-service password resets achieve these benefits through a collection of features.
- Self-Service Password Reset:
Empowering end users to self-service unlock their locked Active Directory account without service desk intervention.
- Self-Service Account Unlock:
Empowering end users to self-service unlock their locked Active Directory account without service desk intervention.
- Password Notifications:
Pre-empting password resetting by notifying users on a schedule to update their password.
- Self-Service Password Change:
A change is user controlled so password history is respected this differs to a password reset where it is admin controlled (since the user cannot remember their password or it is locked) which in some products password history is not respected.
- Integration with Workstation Login Prompt:
Self-service password reset and self-service account unlock integration from the workstation login prompt.
- Mobile App Support:
Self-service password reset and self-service account unlock via a mobile app.
- Password Synchronisation:
The ability to change/reset passwords on multiple user directories such as Azure AD, Google.
- Secure Authentication Methods:
An array of authentication methods to validate a user before attempting a self-service password reset or unlock action.
- AD Attribute Update:
Allowing users to access and update their information in Active Directory such as contact information. Most solutions provide some control over this so that not every attribute is exposed and marking some as read-only.
If you are looking for greater security, greater productivity then self-service password reset tools can offer more, here are some LogonBox specific features, a more comprehensive list can be found here.
- Stronger Authentication with MFA:
Not only is their support for standard authentication but it is extended to include MFA such as Yubikey, Duo Authentication and Google Auth.
- Synchronisation with More Systems
Passwords can be synched across Linux, AS400, LDAP to give broader support for self-service password reset and account unlock functionality.
- Active Directory User and Group Management
Delegate service desk to be able to administer and interact directly with Active Directory from creating new users in AD to updating AD groups all from one interface.
- User Lifecycle Management
Enable users to enrol into Active Directory by completing an enrolment form, assigning them to the right group when they leave and disable the account so they can no longer log in.
- Single Sign-On:
Secure webapps behind an SSPR portal so users can securely log in to assigned webapps with a single click, no passwords are ever shared or remembered eliminating the chances of users accessing webapps outside of the organisation.
- Password Management
LogonBox password manager offers a secure way to store credentials and assign them to the right users through role-based access control. This eliminates the need for users to constantly write credentials down and can be changed and managed from a central place.
There are a number of ways software can be deployed from on-premise o cloud and self-service password reset can benefit from each of these.
70% of SMBs always consider a SaaS option and 58% prefer a SaaS option, if available
This refers to the onsite server where the customer is expected to install the product. The benefit is the customer is in full control and ownership from infrastructure, resources and software. Since self-service password reset is a web application it needs to run in a webserver. Some installations use Microsoft IIS whereas others install their own web-server during installation.
LogonBox is unique in this aspect as its on-premise deployment runs as a virtual machine. What this means is all components are stored in a virtual image and extracted into the virtual server (such as ESXi, Hyper-V) at time of execution so there are no pre-requisites.
On-premise installations gain from whatever the underlying system offers, in the case of LogonBox the product benefits from the rollback and resource management offered by the underlying hypervisor.
cloud computing allows people access to the same kinds of applications through the internet, the adoption rate of cloud-based or Software as a Service (SaaS) applications has increased dramatically. A survey by Goldman Sachs highlighted 70% of SMBs always consider a SaaS option and 58% prefer a SaaS option, if available.
Cloud deployments like LogonBox cloud use a secure SSH agent to communicate with the on-premise Active Directory, beyond that everything is done in the cloud. Self-service password reset in the cloud saves the need for installation, it reduces the time to go-live and relieves any maintenance and management of hardware and software, for MSPs focused on the sale, this can be a real benefit.
Self-service password reset offers a wealth of benefits to the end-user to the service desk and to the companies bottom-line. When used appropriately can offer better security protection than dated manual processes. Password self-service applications have moved on leaps and bounds offering more features than ever before crossing into identity management, single sign-on, password management, documentation management to offer even greater benefits and efficiencies.
Not Already a LogonBox Customer?
Interested in LogonBox after this introduction to self-service password reset? Try LogonBox and get started for free, LogonBox on-premise foundation is free for an unlimited number of users forever, with an affordable pricing model that scales as you do. You can learn more about LogonBox by checking out our website, blog, or simply by contacting us.
*** This is a Security Bloggers Network syndicated blog from LogonBox Journal authored by Majid Latif. Read the original post at: https://www.logonbox.com/en/journal/what-is-self-service-password-reset/