Complexity keeps growing

Mobile workforce

• Users need access to SSPR from anywhere, even before they establish a VPN connection.

Global network

• There may be hundreds of AD DCs.
• Users can't wait for changes made at one site to affect their account at another.

Smart cards and tokens

• Users forget their PINs and need to reset those too.

Smart phones

• These have passwords too.
• Should be both supported and leveraged.

Full disk encryption

• Every security-conscious organization is deploying it and feels the pain of key-recovery.

Integrate with IDM

• Provision a user -- and don't wait before he can do SSPR.
• Authenticate before launching a federated connection (SAML, WS*, Shibboleth).