Best Practice: How to Securely Use a Self-Service Password Reset Solution

Self-service password reset solutions are a great way to reduce the work of IT departments and help desk administrators. According to a recent study conducted by system analysts, 30% of the queries which are sent to the IT helpdesk are related to password and account management only. These queries not only increase the workload of IT departments, but are also a cause of reduction in productivity.

Such organizations can get rid of this problem by enabling self-service password reset solutions for the end users. This will help the administrators to accomplish other important tasks, rather than looking for user account management solutions.

However, apart from just installing a self-service to reduce admin workload, one must also pay heed to make it a secure way of sharing the workload. Allowing end users to directly unlock accounts/reset passwords call for stringent security measures, to be in place, for the added convenience.

Here are a few tips to be followed to make Self-service solutions more secure:

• It’s a no brainer that strong and powerful passwords are the best way to keep intruders at bay and avoid feeling victimized.
• If possible, it’s even better to avoid storing system passwords in the self-service database.
• Administrators must follow a secure ID authentication process, choose at least four challenging security questions for authentication. It’s always recommended for administrators to set questions by their own, in order to make the authentication process more strong and secure.
• After setting the authentication questions, it’s important to make the answers equally secure. There is no point of using hard questions if the answers are easy-to-crack. To avoid this situation, it’s better to prohibit duplicate answers and enforce minimum length requirements.
• Make sure that the self-service system locks out the user after three failed attempts. And, if in case, a legitimate user is locked out due to failed attempts, then he/she must take help of the administrator.
• Also, users must get logged out from the self-service portal after a minute or two of inactivity. This will avoid providing time to potentials intruders.
• Lastly, the tool of your choice must support SSL security for encryption of shared data over the browser to defeat prying eyes.

The best way to perform password resets/unlock accounts

Self-service related activities are carried on by user validation policies as composed by the system admin. These solutions generally allow the users to unlock account or reset the password of their accounts by three possible means; directly from the login screen, by authorizing a co-worker or by using a web browser.

The above mentioned ways aren’t always secure as they have certain loopholes associated with them, like; how will a person access a web browser if his account is locked? It’s obvious that a system can’t be accessed if the account is locked or the user has forgotten his/her password. In this case, the user has to take the help of a co-worker’s system. But, taking the help of co-workers is also not a full proof solution, as it requires more time and coordination to get the job done.

Another way is vouching upon co-workers. To get the job done, the user must authorize them in advance to let them unlock their account or reset password. Ultimately, due to this, the co-worker will set the new password and thus, be aware of his password, which is not a secure way. To avoid this situation, the user needs to take one more step after resetting the password, i.e. change the password again, which will again involve extra effort.

Apart from these drawbacks, if the authorized co-worker is not available, then the end user will have to eventually contact the administrator. But, if such is the case, then what’s the whole point of using a self-service password reset solution.

So, the self-service execution task becomes tough and unsecure due to such shortcomings. Lepide Active Directory Self Service (LADSS) is available to help you get rid of these problems. It integrates GINA/CP (Graphical Identification and Authorization), which allows the end users to use the features of self-service directly from their login (ALT+DEL+CTRL) screen.

Few Benefits offered by GINA are:

• It allows users to execute the self-service task in a more secure manner.
• It allows users to update Active Directory with their latest personal information.
• It only needs one-click access to perform the task.
• It eliminates the use of other systems in the network.
• Also, no need to take the help of co-workers to reset password or unlock accounts on your behal

 

With Lepide Active Directory Self Service, end users can easily execute the self-service tasks, but under the observation of the Administrator. This software helps in saving valuable time, money and resources. Other than unlocking account and resetting passwords, it offers various other features like reports and schedules, password expiry notifications, bulk enrollment etc., which ultimately leads to increase in organizational ROI.