We all need to reset our passwords occasionally, whether it’s due to a simple memory lapse or wider security concerns. However, the process can rack up surprising expenses for organizations. This means self-service password resets (SSPR) aren’t just a ‘nice to have’, they are essential.
Of course, password resets are a part of life for IT teams, according to Gartner, 40% of help desk calls are tied to password expirations, changes and resets. With Forrester estimating that a reset costs $70, it’s not hard to see how the costs could soon add up.
This is where SSPR comes in. Because it enables users to securely change their own passwords (instead of calling the helpdesk) there could be significant financial savings.
Indeed, a Specops analysis of more than 700 organizations in our customer base found the average user of our uReset SSPR solution saved about $136 per end user. That’s not just a significant saving in a financial sense, but in terms of employee and service desk time too.
To put it simply, if users can reset their own passwords, they can get back to work sooner and service desks can focus elsewhere.
A need for security
However, there can be challenges, so it’s essential to ensure you approach SSPR correctly. In particular, the technology must be secure, to close the door to potential fraudsters and other criminals. For instance, there’s a risk that accounts can be compromised.
You’ll need to watch out for subtle signs of an issue, such as activity you don’t recognise, including password reset messages or changes to security settings.
Bad actors could pursue sim-swapping fraud, where they port a victim’s number onto a rogue SIM to intercept SMS-based two-factor authentication codes and reset the person’s passwords for their own ends, such as accessing social media profiles or bank accounts.
So what’s the answer? A secure and effective system should be built across specified tiers, with different users ranked based on risk, from low to high. Highly critical elements could include the administration credentials for a database containing personally identifiable information, according to the UK’s National Cyber Security Centre (NCSC).
... continue reading