Limitations of point solutions
There are a few types of simple, "point solution" password reset systems on the market:
- Telephone-only systems, built around an interactive
voice response (IVR) system. Users call the help desk, their call
is redirected to the telephone password reset system, the system
performs some form of simple authentication (usually keying in or
speaking answers to one or two security questions) and the user
can then trigger a password reset. The new password is typically
randomly generated so as to reduce user input via the awkward
voice/phone call channel. The system typically only supports
resetting AD passwords and cannot help off-site users who forgot
a password that is locally cached on their PC.
- Web-only systems, often from vendors of help desk ticketing
systems. Users who can reach the password reset web
portal (recall: users may be unable to sign into their
own PC or be off-site) answer one or a few security
questions and select a new password. Typically the new
password is only set on the user's AD account.
- Simple password reset included in IAM products. Similar to the password reset systems in help desk ticketing systems, but often with the addition of an icon on the login screen of corporate Windows PCs, so that when a user is on-site and their PC is physically connected to the corporate network, access to self-service from the OS login screen is possible.
All of these are inexpensive. In many cases, password reset is an included, "no cost" feature in a larger system (IVR, ticketing application, IAM system). However, these systems lack critical functionality:
- May not help users who forgot their OS login password (usually AD) -- this is a problem if there is no client software component and/or if the user is off-site.
- Cannot help users who forgot their pre-boot drive encryption password or who forgot a locally cached password while away from the office.
- Usually can only manage AD passwords and not passwords on other platforms.
- Do not resolve login problems with other credentials, such as one time password devices, smart cards or smart phone apps.
- Authentication may be limited to one or a few security questions, which is neither secure nor user-friendly.
- No effort is made to maximize user adoption rates, leading to low ROI which may be less than the system's total cost of ownership (TCO).
Organizations who are serious about resolving login problems regardless of user device type, location and credential type and who aim to realize a significant and sustainable ROI need more advanced capabilities.