Article Details

How to boost Security with Self-Service Password Resets. What happens when an employee at your organization forgets their password? If your workplace is like many, a forgotten password kicks off a frustrating, time-consuming process. The employee must contact the IT department and then wait for them to respond to the request. And in the meantime? Their work productivity plummets, anxiety increases, and deadlines are jeopardized. But is there a better way to handle the password reset process? Are there benefits to allowing end-users to control their own password resets? The answer is yes. In this post, we’ll discuss the benefits of allowing users to reset their passwords and highlight ways to accomplish secure password resets with on-premises Active Directory. The Benefits of Self-Service Password Reset There are multiple benefits to allowing end-users to manage their own, passwords, including: However, social engineering is no longer an issue if an organization uses a third-party tool to manage the password reset process — verifying requests based on specific criteria like a one-time code from a device tied to a user. Because the human factor is eliminated, so is the risk of the human (the IT tech) inadvertently leaking the data. Technical Solution: Active Directory coupled with Microsoft 365 Many organizations with an on-premises Active Directory also have a Microsoft 365 tenant. In these situations, the on-premises AD directory is synchronized with the Microsoft 365 tenant using Azure AD Connect tool to have the same users, groups, etc. It’s worth noting that Microsoft offers the "Self-Service Password Reset" (SSPR) functionality, whose verification methods can be the same as for multi-factor authentication to facilitate the implementation. To use Microsoft's SSPR, your organization must have one of the following user licenses: When the user needs to reset their password, they’ll use their smartphone or another computer to access the Microsoft portal — either by clicking on "I forgot my password" on the login page or after an incorrect password entry using the link on the screen that appears during the “password incorrect” message. Technical Solution: Active Directory and Specops uReset. Looking for another way to reset passwords and leverage your existing 3rd part MFA investment? Specops offers uReset, which perfectly integrates with Active Directory, allowing users to reset their passwords from their computer’s Windows login screen. They can easily update the local cached credential when remote so they can keep working. They also have clear and dynamic end-user feedback. Specops uReset offers two primary functionalities to the user: To use Specops uReset, you must register each user. Administrators can automatically enroll users with any provider that has identifier information in Active Directory — Mobile Code, Duo Security, Symantec VIP, Okta, PingID, and more — with no action required on the user’s part. During enrollment, the user will also register with additional authentication methods, including SMS code, e-mail, Yubikey, Microsoft Authenticator, Google Authenticator, biometric authentication, secret questions, Duo, and more. The solution administrator can also fully configure the user interface, changing available languages, text, and more. They can assign a number of stars to each user authentication method, giving one method greater weight in terms of its security configuration. Then, when the user wants to reset their password, they must first verify their identity using multiple authentication methods, ultimately obtaining enough stars to prove that they are the originator of the request. Specops uReset is a hybrid SaaS solution. The user facing components are hosted and the only component deployed locally on your infrastructure is a Gatekeeper server. However, all user registration information is stored in the Active Directory, not the cloud, since the latter serves only as a relay. Specops uReset simply adds its attributes to the Active Directory, storing values ??securely. And deployment is straightforward with a group policy; you only need to deploy an agent on the user workstation. From an IT support perspective, Specops’ Secure Service Desk solution allows IT pros to remotely authenticate users by asking them to verify their identity using a configured authentication method. This approach not only helps fight identity theft but also helps the organization protect itself from social engineering attempts. Boost Productivity, Reduce Frustration To improve your company’s productivity — both for your end users and your IT support technicians — consider a self-service password reset solution. Not only will this type of solution reduce calls to your helpdesk, but it will also save time, reduce costs, empower users, and help reduce the risk of data loss through social engineering hacks. By investing in a self-serve password reset solution, you’ll be boosting efficiency, reducing frustration, and investing in your company’s short- and long-term success. Sponsored and written by Specops Software.