A credential management system should deliver three benefits:
Fewer credentials for users to remember and manage and simpler, quicker and more convenient resolution for login problems.
Fewer help desk calls related to login problems such as forgotten passwords, intruder lockouts or tokens left at home.
Stronger and more consistent enforcement of policies around password composition, change frequency and reuse, as well as more reliable processes to authenticate users who experience a login problem, before assisting them.
A mission statement documented before the system is deployed is helpful for getting all stake-holders to cooperate. One way to formulate this mission statement is to capture the state of affairs before the system is deployed and the desired end state. Following is an example:
|Credential management system objectives|
|User service / SLA|
|Users manage 8 different passwords, on average.||With password synchronization, users will only have to manage 2 passwords.|
|Only some passwords expire and they do so at different times||Users will be prompted to change all passwords at the same time.|
|Different systems enforce different password policy rules.||A uniform password policy will supersede multiple, inconsistent rules.|
|Users sometimes forget their pre-boot password.||Enable self-service filesystem unlock via smart phone app.|
|Users sometimes forget their OS login password, in some cases while off-site.||Enable self-service password reset from the PC login screen, with VPN+WiFi integration to support users working outside the office.|
|IT support cost|
|30% of total help desk call volume is due to login problems.||Password synchronization and self-service problem resolution will reduce this call volume by at least 80%.|
|5% of total call volume is due to OTP token problems.||Offer self-service PIN reset and emergency passcodes via smart-phone app.|
|Help desk calls to resolve login problems take 10 minutes to resolve, on average.||Consolidate caller authentication, technician login, problem resolution and ticket generation behind a single UI, to reduce call duration to 2 minutes.|
|Security / authentication|
|Users have too many passwords and write them down.||Synchronization will eliminate the main user motivation for writing down passwords.|
|Different systems and applications enforce different password policies.||Implement a uniform policy with a superset of password composition, reuse and change frequency rules.|
|Users calling the help desk are not reliably identified.||Move most incidents to self-service and apply uniform authentication processes in both self-service and assisted-service contexts.|
|Not all systems log password changes.||Will record who changed passwords, on a central credential management system.|
|Too many IT support staff have logins with elevated rights, required to reset passwords for people who call the help desk.||Support staff will reset passwords through an assisted-service portal, eliminating the need for such accounts.|