How to boost Security with Self-Service Password Resets

What happens when an employee at your organization forgets their password? If your workplace is like many, a forgotten password kicks off a frustrating, time-consuming process.

The employee must contact the IT department and then wait for them to respond to the request. And in the meantime? Their work productivity plummets, anxiety increases, and deadlines are jeopardized.

But is there a better way to handle the password reset process? Are there benefits to allowing end-users to control their own password resets? The answer is yes.

In this post, we’ll discuss the benefits of allowing users to reset their passwords and highlight ways to accomplish secure password resets with on-premises Active Directory.

The Benefits of Self-Service Password Reset

There are multiple benefits to allowing end-users to manage their own, passwords, including:

Saving time (and money): If users can reset their account passwords — in an Active Directory account, a Microsoft 365 account or another kind of account — they don’t have to ask IT for help. This represents a huge potential time savings for the IT team, meaning technicians can focus on more mission-critical, higher-value tasks.

Additionally, allowing users to reset their own passwords saves money. When you consider that responding to each IT support ticket costs a business between $15 and $37, and password reset calls often represent 20% to 40% of IT calls, it’s easy to see how facilitating self-service password resets will reduce costs.

Reducing risk of social engineering attacks: Many cybercriminals use password reset requests as an opportunity to gain access to a system, leading to devastating (and expensive) results — just ask MGM Resorts or EA Games, who fell victim to social engineering attacks in the past few years.

In a social engineering attack, the cybercriminal may pretend to be a user reaching out to IT for a password reset, hoping to deceive the technician into providing the info so they can gain access to the account.

However, social engineering is no longer an issue if an organization uses a third-party tool to manage the password reset process — verifying requests based on specific criteria like a one-time code from a device tied to a user.

Because the human factor is eliminated, so is the risk of the human (the IT tech) inadvertently leaking the data.

Empowering end-users: Allowing self-service password resets empowers users, allowing them to quickly regain access to their account and get on with their day without having to wait for an IT support technician to intervene. This is especially helpful when the user needs to reset a password late in the evening, on a weekend, or during a holiday, when IT technicians are less likely to be on-call and available.

Technical Solution: Active Directory coupled with Microsoft 365

Many organizations with an on-premises Active Directory also have a Microsoft 365 tenant. In these situations, the on-premises AD directory is synchronized with the Microsoft 365 tenant using Azure AD Connect tool to have the same users, groups, etc.

It’s worth noting that Microsoft offers the "Self-Service Password Reset" (SSPR) functionality, whose verification methods can be the same as for multi-factor authentication to facilitate the implementation.

To use Microsoft's SSPR, your organization must have one of the following user licenses:

Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft 365 Business Premium Microsoft 365 E3 Microsoft 365 E5

When the user needs to reset their password, they’ll use their smartphone or another computer to access the Microsoft portal — either by clicking on "I forgot my password" on the login page or after an incorrect password entry using the link on the screen that appears during the “password incorrect” message.

Technical Solution: Active Directory and Specops uReset. Looking for another way to reset passwords and leverage your existing 3rd part MFA investment?

Specops offers uReset, which perfectly integrates with Active Directory, allowing users to reset their passwords from their computer’s Windows login screen.

They can easily update the local cached credential when remote so they can keep working. They also have clear and dynamic end-user feedback.

Specops uReset offers two primary functionalities to the user:

The ability to submit a self-service password reset from the Windows login interface The ability to change the password from the Windows login interface or once logged in — something that is useful when the user needs to reset a password and is working remotely, as they can reset their password even if they can’t connect to the VPN

To use Specops uReset, you must register each user. Administrators can automatically enroll users with any provider that has identifier information in Active Directory — Mobile Code, Duo Security, Symantec VIP, Okta, PingID, and more — with no action required on the user’s part.

During enrollment, the user will also register with additional authentication methods, including SMS code, e-mail, Yubikey, Microsoft Authenticator, Google Authenticator, biometric authentication, secret questions, Duo, and more.

The solution administrator can also fully configure the user interface, changing available languages, text, and more. They can assign a number of stars to each user authentication method, giving one method greater weight in terms of its security configuration.

Then, when the user wants to reset their password, they must first verify their identity using multiple authentication methods, ultimately obtaining enough stars to prove that they are the originator of the request.

Specops uReset is a hybrid SaaS solution. The user facing components are hosted and the only component deployed locally on your infrastructure is a Gatekeeper server. However, all user registration information is stored in the Active Directory, not the cloud, since the latter serves only as a relay.

Specops uReset simply adds its attributes to the Active Directory, storing values ??securely. And deployment is straightforward with a group policy; you only need to deploy an agent on the user workstation.

From an IT support perspective, Specops’ Secure Service Desk solution allows IT pros to remotely authenticate users by asking them to verify their identity using a configured authentication method. This approach not only helps fight identity theft but also helps the organization protect itself from social engineering attempts.

To improve your company’s productivity — both for your end users and your IT support technicians — consider a self-service password reset solution.

Not only will this type of solution reduce calls to your helpdesk, but it will also save time, reduce costs, empower users, and help reduce the risk of data loss through social engineering hacks.

By investing in a self-serve password reset solution, you’ll be boosting efficiency, reducing frustration, and investing in your company’s short- and long-term success.

Sponsored and written by Specops Software.