swipe to navigate

System objectives

A credential management system should deliver three benefits:

  • Improved user service:

    Fewer credentials for users to remember and manage and simpler, quicker and more convenient resolution for login problems.

  • Lower IT support cost:

    Fewer help desk calls related to login problems such as forgotten passwords, intruder lockouts or tokens left at home.

  • Stronger security:

    Stronger and more consistent enforcement of policies around password composition, change frequency and reuse, as well as more reliable processes to authenticate users who experience a login problem, before assisting them.

Mission statement

A mission statement documented before the system is deployed is helpful for getting all stake-holders to cooperate. One way to formulate this mission statement is to capture the state of affairs before the system is deployed and the desired end state. Following is an example:

Credential management system objectives
Before After
User service / SLA
Users manage 8 different passwords, on average. With password synchronization, users will only have to manage 2 passwords.
Only some passwords expire and they do so at different times Users will be prompted to change all passwords at the same time.
Different systems enforce different password policy rules. A uniform password policy will supersede multiple, inconsistent rules.
Users sometimes forget their pre-boot password. Enable self-service filesystem unlock via smart phone app.
Users sometimes forget their OS login password, in some cases while off-site. Enable self-service password reset from the PC login screen, with VPN+WiFi integration to support users working outside the office.
IT support cost
30% of total help desk call volume is due to login problems. Password synchronization and self-service problem resolution will reduce this call volume by at least 80%.
5% of total call volume is due to OTP token problems. Offer self-service PIN reset and emergency passcodes via smart-phone app.
Help desk calls to resolve login problems take 10 minutes to resolve, on average. Consolidate caller authentication, technician login, problem resolution and ticket generation behind a single UI, to reduce call duration to 2 minutes.
Security / authentication
Users have too many passwords and write them down. Synchronization will eliminate the main user motivation for writing down passwords.
Different systems and applications enforce different password policies. Implement a uniform policy with a superset of password composition, reuse and change frequency rules.
Users calling the help desk are not reliably identified. Move most incidents to self-service and apply uniform authentication processes in both self-service and assisted-service contexts.
Not all systems log password changes. Will record who changed passwords, on a central credential management system.
Too many IT support staff have logins with elevated rights, required to reset passwords for people who call the help desk. Support staff will reset passwords through an assisted-service portal, eliminating the need for such accounts.


Comment via LinkedIn