Password resets have always been problematic for helpdesks. Not only are there significant costs associated with the password reset process, but the helpdesk staff’s time could be better spent helping those who are experiencing more significant problems.
In recent years, many organizations have looked to self-service password reset tools as a solution for offloading password reset requests from an overburdened help desk. There are currently several vendors offering such solutions. Although there are undoubtedly similarities between these solutions, each product also has its own unique features and capabilities.
Key Password Reset Features to Look For
Every self-service password reset product, native or third party, allows users to reset their own passwords. That’s a given. In addition to the basic password reset capabilities, third-party solutions can also include bonus features such as employee directory settings.
While these types of supplementary features are nice to have, IT pros must consider how a self-service password reset tool will actually be used in their own environments. Right now, one of the most important use cases is that of supporting remote workers. The COVID-19 pandemic has resulted in more employees working remotely than ever before. As such, it is important to look for a self-service password reset tool that includes features that are well suited to supporting a remote workforce.
Helpdesk verification: One such capability is that of an integrated helpdesk component. As important as it is for employees to be able to reset their own passwords, there may be some users who are uncomfortable with, or who have difficulty with, the process. In those situations, the helpdesk needs to be able to verify the user’s identity and reset their password for them. While it may be tempting to focus on the helpdesk’s ability to reset passwords, it is the identity verification component that is the most important. Without it, a social engineer might be able to gain access to an account by tricking the helpdesk staff into thinking that they are someone else.
Multi-factor authentication: Another absolutely must have feature to help positively verify a user’s identity prior to granting a password reset request, regardless of whether the user is attempting to reset their own password, or is requesting assistance from the helpdesk, is multi-factor authentication. The use of multi-factor authentication can help to prevent passwords from being compromised by phishing attacks or social engineering schemes.
Updating cached credentials: When a user logs into an Active Directory domain, their credentials are cached to their local computer as part of the logon process. This credential caching makes it possible for the user to log in locally, even if a domain controller isn’t available to process the request. The problem with this is that when a user’s password is reset, the change is only applied to the Active Directory. The local machine still retains a cached copy of the user’s old password. Under the right circumstances, this can lead to the user being locked out of their computer.
Password Reset with a Third-Party Tool
One tool that meets all of the above requirements is from Specops. Its Active Directory password reset tool enables end-users to manage their password from any browser, their mobile device or right from the Windows logon screen. In the event that they call the helpdesk, the solution can provide an interface to helpdesk agents that enforces user verification prior to a password reset.
The password reset solution from Specops also uses multi-factor authentication to verify user identities, and goes beyond SMS text messages or challenge questions. In fact, Specops supports at least 15 different identity providers, including Duo Security, Okta Verify and the Google Authenticator app.
Finally, the solution supports the updating of cached credentials, which helps to prevent users from being locked out of their machines.
Start your free trial of the password reset solution from Specops.