More and more companies are pointing out that the user support service regularly receives a large volume of requests relating to users who encounter difficulties when logging on. If a User’s account is locked or if they forget their password, they must ask for help from support to reset their password or unlock their account.
This type of request must be processed quickly, as the user will not be able to perform his activities before the intervention of the support, which has an impact on productivity. The processing time differs from day to day, even within the same company, as there are several factors coming into play (e.g. number of requests, request priorities, available resources, etc.). This is still one of the known challenges that must be addressed systematically.
For these reasons, it is becoming increasingly important to improve the user experience by giving users more control over their accounts and consequently, by providing a self-service feature. This feature provides the ability for a user experiencing access problems to unlock their account or reset their password without the intervention of a member of the user support team.
The process is sensitive in terms of security. In such situations where the subject affects the user and security, a great debate is launched within companies and several stakeholders are debating several issues. Here are some examples of the main concerns and the corresponding answers:
We know that the weakest link in the chain is the user. How can we allow self-service password management from any location and with any device?
The answer is YES, we can: the Covid-19 context has demonstrated that telework is a reliable solution for business continuity, so we need to follow this trend and take initiatives to constantly improve the user experience.
However, certain conditions must be met beforehand:
- A password policy that must be present and be well applied and respected.
- The presence of controls to ensure the security of passwords.
- Users must be made aware of information security and be fully aware of the importance of the security of their passwords.
We respect the preconditions, can we embark on this adventure safely?
The answer is conditional, depending on what exists: certain elements must be present or added before making this functionality available to users. Additional measures and controls must also be added to ensure a high level of security:
- Multi-factor authentication: the solution must also support multiple authenticators, such as security issues, mobile authentication applications, mobile phone, desktop phone, etc.
- Require the configuration of multiple authentication options so that users have more than one access alternative.
- Enhance connection security by extending multi-factor authentication to self-service password management.
- Provide monitoring capabilities to quickly identify attempts to change passwords.
There are several solutions that offer a simple and secure self-service password reset module, but for businesses that have an Office 365 Azure AD Premium P1, Premium P2 or Microsoft 365 Business license plan can take advantage of Azure Active Directory’s SSPR feature, this feature can be simply activated, configured, combined with AMF and managed from the Azure portal.
Experience has shown that the solution meets security requirements while providing activity reports that allow the IT team to have an overview of the registration and password reset activity within their organization.
Any organization wishing to meet the security challenge of offering users self-service password management must first have the necessary prerequisites related to password security and then plan additional measures and controls to ensure a high level of security to avoid potential risks as much as possible.