PDF

swipe to navigate

In the beginning: a simple problem

Password management products started out in the mid 1990's as simply self-service password reset (SSPR). Many products on the market today still support only this function.

Self-service password reset programs can be described as follows:

Table: Self-Service Password Reset Overview
Business challenge: The IT help desk is inundated with calls from users who forgot or locked out their password. This can be as much as 35% of total IT support call volume and reaches a peak during the first morning of each work week.
Security exposure: The help desk password reset process is often vulnerable to security exploits. The staff in many help desk organizations can be fooled into resetting passwords for an impostor who either sounds too important to challenge or who can correctly answer the questions the analyst asks in order to authenticate the caller.
Root cause analysis: Users forget their passwords because: they have too many; they change passwords right before leaving work for the weekend or a holiday; or password complexity rules make passwords hard to remember. Users trigger lockouts by typing old passwords or by failing to notice the state of the Caps Lock or Num Lock keys on their keyboards.
Solution: Use a web application where users can authenticate by answering a series of security questions instead of typing their password. Users can then choose a new password without calling the help desk.
More detail: Security questions and answers may not be available for all users, or may be inadequate for reliable authentication. As a result, an enrollment web application is also required, where users can authenticate with their password and complete their profile with answers to security questions.
Solution benefit: The call volume at a typical IT help desk can be reduced by as much as 25%, so long as the system is effective and the user adoption rate is high.

PDF

Comment via LinkedIn