swipe to navigate

Limitations of point solutions

There are a few types of simple, "point solution" password reset systems on the market:

  1. Telephone-only systems, built around an interactive voice response (IVR) system. Users call the help desk, their call is redirected to the telephone password reset system, the system performs some form of simple authentication (usually keying in or speaking answers to one or two security questions) and the user can then trigger a password reset. The new password is typically randomly generated so as to reduce user input via the awkward voice/phone call channel. The system typically only supports resetting AD passwords and cannot help off-site users who forgot a password that is locally cached on their PC.

  2. Web-only systems, often from vendors of help desk ticketing systems. Users who can reach the password reset web portal (recall: users may be unable to sign into their own PC or be off-site) answer one or a few security questions and select a new password. Typically the new password is only set on the user's AD account.

  3. Simple password reset included in IAM products. Similar to the password reset systems in help desk ticketing systems, but often with the addition of an icon on the login screen of corporate Windows PCs, so that when a user is on-site and their PC is physically connected to the corporate network, access to self-service from the OS login screen is possible.

All of these are inexpensive. In many cases, password reset is an included, "no cost" feature in a larger system (IVR, ticketing application, IAM system). However, these systems lack critical functionality:

  1. May not help users who forgot their OS login password (usually AD) -- this is a problem if there is no client software component and/or if the user is off-site.
  2. Cannot help users who forgot their pre-boot drive encryption password or who forgot a locally cached password while away from the office.
  3. Usually can only manage AD passwords and not passwords on other platforms.
  4. Do not resolve login problems with other credentials, such as one time password devices, smart cards or smart phone apps.
  5. Authentication may be limited to one or a few security questions, which is neither secure nor user-friendly.
  6. No effort is made to maximize user adoption rates, leading to low ROI which may be less than the system's total cost of ownership (TCO).

Organizations who are serious about resolving login problems regardless of user device type, location and credential type and who aim to realize a significant and sustainable ROI need more advanced capabilities.


Comment via LinkedIn