EVALUATION GUIDE. Evaluating a Self-Service Password Reset Tool. Usability. The password reality

Transcription

1 EVALUATION GUIDE Evaluating a Self-Service Password Reset Tool This guide presents the criteria to consider when evaluating a self-service password reset solution and can be referenced for a new implementation or to achieve more cost savings from an existing solution. Self-service password reset tools can reduce the number of password-related service desk requests, saving a company time and money. Achieving significant savings, or even eliminating passwordrelated errands at the service desk, requires looking at factors that affect user enrollment, adoption and security. The password reality Passwords continue to be the primary method of user authentication in most organizations. The reasons are simple: passwords are well known, easy to use and do not require any investment in hardware or infrastructure. The same simplicity is also what makes the password the most attractive authentication mechanism for online services, where more complicated login requirements might turn away potential users. The introduction of smartphones and the complexity in managing personal devices in corporate environments also make it necessary for many organizations to keep using passwords, even if they have also invested in stronger authentication methods. In most cases this might be the only way for the user to be able to access the corporate account from their phone. However, when end users forget their passwords, the business suffers. Forgotten passwords are driving costs within IT and limiting end-user productivity. Analyst firm Gartner estimates that 40 percent of total contact volume for IT service desks is password related. Password complexity requirements are constantly changing thanks to new threats, password list leaks and compliance demands. Where eight characters with moderate complexity was considered adequate several years ago, companies now demand longer and more complex passwords to access business-critical information. The result is an increase in password-related service desk volumes. Whatever your situation, you have identified the need for a self-service password reset solution so now let s take a look at how you can make the best choice for your investment. Usability To ensure return on investment users have to use the system. The user experience offered by the tool is critical. When introducing a self-service password reset tool you are asking end users to perform a set of actions that is different from how they reset their password today. The key is to ensure that the tool delivers an experience that is an improvement on the current process. If users contact the service desk for help resetting passwords today, tomorrow s process needs to deliver benefits to the end users such as more convenience and time savings.

2 Accessibility A solution that delivers an improved user experience for end users has to be highly accessible. Accessibility needs can differ depending on the organization but there are several commonalities for all companies. A highly accessible tool should be possible to reach no matter where the users are or what device they are using when the password problem occurs. With the expectation of selfservice, the solution also needs to be available during all hours of the day. Evaluation criteria: Is the tool accessible in all possible scenarios? Accessibility features and capabilities: Computer desktop Web browser Mobile application 24/7 operation Enrollment Enrollment is the process of collecting any end user information necessary to be able to authenticate the user without a password when the password needs to be reset. This can be handled by requiring end users to answer security questions, register a mobile phone number, or assigning other forms of authentication to the account. Enrollment can also be managed by the IT staff with admin enrollment. Look for systems that support a variety of admin-enrollment options that remove this task from the end-user to ensure first time success when a password reset or account unlock need arises. Informing the end users that they need to enroll through effective communication channels is also an essential part of the enrollment process. Users cannot start using the solution before they are enrolled, but getting them to do so can be tricky unless they are encouraged to start the process. Repeated personal reminders through or even SMS are very effective tools to guide the users in the right direction. Evaluation criteria: Is the enrollment process quick and intuitive? Accessibility features and capabilities: Admin enrollment Multiple choice between a variety of authentication methods Highly-accessible enrollment Personal enrollment reminder methods Simple end-user interface with guided steps

3 Password reset or account unlock Resetting a password or unlocking a locked account is the fundamental functionality offered in a selfservice password reset tool. Usability is an essential criteria for delivering a positive experience for end users. When a user accesses the tool for the first time with a need, success is measured by their ability to meet that need without contacting the service desk. Another key aspect of creating a positive experience with the password reset process is to show end users what is expected of them when setting a new password. Everyone has been faced with the frustrating experience of choosing a password only to be told that it fails to meet the policy requirements. Look for a solution that displays password complexity rules to help users know if they have satisfied the policy or not. Letting the end user know that the reset or unlock process was successful is also an important feature. Such notifications should not only be presented during the actual reset process, but also be sent by or SMS to make sure that the user is also alerted if someone attempts to gain control over their user account through the self-service solution. An especially good use of SMS notifications is to inform the user that their password has been reset and they now need to change the password in the account on their smartphone as well. Evaluation criteria: Do users experience first-time success when using the tool? First-time success features and capabilities: Admin enrollment Multiple choice between a variety of authentication methods Highly accessible Real-time display of password complexity requirements End-user notifications Simple end-user interface with guided steps

4 Security Security is a key evaluation criteria in a self-service password reset tool because you are responsible for knowing who is accessing the tool and that the correct person is resetting the password. You do not want to invest in a solution that leaves your users vulnerable to attacks. If the solution only relies on low-security authentication methods like questions and answers, which are prone to social engineering, you are opening your users up to attacks. Look for a solution that supports multi-factor authentication, uses trusted authentication technologies and can be adapted to different security needs. Authentication Authentication is the process of verifying the identity of a user. Typically this process requires the user to make a claim about their identity by entering their user name and then proving the claim by providing the correct answers to previously registered security questions. However, good authentication solutions should include far more flexible, and most importantly, stronger authentication mechanisms. Look for solutions that can leverage other identity providers you already trust to authenticate users. This approach is common in single-sign on solutions but can be extended to self-service solutions to ensure extensibility while lowering complexity. Solutions that manage authentication end-to-end are typically not very extensible, making it difficult to add and support new authentication attributes as integration to third-party services are required all of which handle identity differently. Such solutions also need to store sensitive user account and password data to manage authentication internally. This information typically ends up in a separate database, which increases security risk in addition to the fact that it can lead to synchronization issues. If password data is not provisioned in real-time between the solution and the main user directory service you can be sure that this will lead to increased calls to the service desk. Evaluation criteria: Does the solution support multiple authentication methods to securely and reliably verify the identities of the users? Authentication technology features and capabilities: Supports multiple trusted identity providers Avoids separate database storage of passwords and user data

5 Multi-factor authentication Multi-factor authentication relies on two or more authentication methods using different factors from the commonly recognized authentication factor categories: something you know, something you have, something you are. Multi-factor authentication aims to increase the difficulty for an attacker to obtain sufficient information to falsely claim an identity. For instance, by combining the need to both know a secret (password) and being in possession of an object (such as a smartphone) in order to authenticate, the challenge to the attacker is increased. Multi-factor authentication is a good security practice and the preferred method of authentication for password resets solutions and can be applied to all or parts of your organization. When evaluating, look for a solution that supports a variety of authentication methods relying on different authentication factors, with special consideration to higher-trust methods. If you have existing investment in higher trust authentication methods, ensure that these can also be used by your selfservice password reset tool. Evaluation criteria: Which authentication methods and factors are supported? Multi-factor authentication features and capabilities: Trusted external identity providers, such as external company or personal identities SMS based One-Time Password Soft tokens, preferably smartphone based Higher-trust identity services Security questions Ease of identity service enrollment Data security A self-service password reset tool should not, in itself, open you up for data breaches. Where and how the data is stored is an important aspect of the security of the total solution. Choose a solution that leverages technology that does not depend on a separate database to store user data, enrollment data or passwords. The introduction of a separate database as mentioned previously can open you up to additional cost due to backup needs, synchronization issues with the user directory and other connected systems, and additional security risks. Data security concerns also include who is able to access the data, once collected and stored. End users may have legitimate privacy concerns around the information about themselves that they choose to share with their organization. In these situations it is important to ensure that the data stays private, even from administrators within their own organization. This requires the solution to encrypt both network traffic and the data that is stored. Good solutions store user data as close to the user objects as possible. Preferably in the same directory service where the user account is stored.

6 Evaluation criteria: Where and how is data stored? Data security features and capabilities: Active Directory integration for data storage Encrypted user data Differing security needs Not every company has the same security needs, and these can differ within the same organization. While it may be critical to apply multi-factor authentication requirements to certain people or departments, the need may not be justifiable in other parts of the same organization. Look for a solution that matches your security requirements and offers flexibility to address differences between departments or roles in the organization. Evaluation criteria: Are your security needs going to be met? Security needs features and capabilities: Variety of identity services with different levels of security, including higher-trust services Flexible settings which are possible to assign on a group or role level Summary Once you have checked off these boxes take a step back and ask yourself am I sacrificing usability for security or vice versa? The optimal choice would ensure that you are able to strike the right balance between security and flexibility needs. This balance is attainable with solutions that: Are highly accessible, no matter what device the user is using or where they are Ensure 100 percent enrollment rates with pre-enrollment options Do not require user provisioning from your directory service Support flexible multi-factor authentication to address varying security levels within your organization Exploits mobility by turning mobile handsets into high impact, high-trust devices for authentication and notifications Maximize existing assets such as Active Directory data, mobile handsets, authentication hardware and end-user/company established identities Do not require a separate database for password data and rely on trusted identity providers for user authentication.