|
In today's complex IT environments, users typically have multiple passwords to manage for a variety of applications or access levels. Eighty percent of all users have 3 or more passwords to manage, but many more are possible depending on their system access needs (Safenet 2004). Users end up jotting passwords on note paper, thus threatening the security of the system, or they simplifying life by reusing passwords or choosing weak ones where the system permits, even though these are unsafe security practices. Meanwhile, security-minded IT organizations often implement strong password measures which inadvertently add to the burden, requiring users to recall complex formulations and change them frequently. Compliance with auditing and regulatory requirements, such as Sarbanes-Oxley and HIPAA, further tighten the password security net and in turn, further confound the user.
Quite simply, password practices that improve security are by their nature burdensome to the user, resulting in passwords difficult to remember which are often changed about the same time they have finally become memorized. Yet password security remains a cornerstone of system security: as much as 80% of security breeches take place not through arcane hacking and virus attacks, but through system infiltration facilitated by use of a password. It remains in the best interests of the organization to have strict password requirements that mitigate against system access by hostile parties. These are also the kinds of passwords best designed, it seems, to be forgotten by busy and distracted users.
Given this environment, it is no surprise that industry analysts find that 30% of all help desk calls across the industry are about password issues, at a cost averaging $30 to $60 per call. This support cost when multiplied across an organization can be huge. While necessary to system security, troubleshooting passwords is a large time sink for sys admins or help desk staff. This low-level, repetitive activity siphons valuable support resources away from higher-priority or more productive tasks.
Self-Service Reset Utilities
The solution that has evolved for this problem is the self-service password reset utility. At their simplest, products of this sort enable the user to reset a password or clear an account lockout independently of the help desk, typically through a browser-based portal. Some versions of this product require that users first find a browser to use, which they are unable to do at their desktop, because they cannot log into their system and gain access to their own browser. A common solution to this problem is for the user to access a special kiosk system installed nearby in the workplace, or to interrupt a colleague for a few minutes to use his or her computer for a few minutes. The better designed reset utilities are activated by a link from the user's logon prompt, so the individual can proceed with their troubleshooting from their own desk. Self-service reset products first validate the user as someone authorized for access to the system. Then the user is walked through a password change dialog that instantly resets their password and unlocks their account if needed without further intervention from the help desk.
User Validation
Most reset products validate the user via a data match from a profile previously set up by the user. Typically, the user will have answered multiple personal questions such as favorite pet's name or first street lived on, and one or more of these questions are presented to the user by the reset utility. To guard against unauthorized access attempts, the more flexible reset systems can be set to lock out someone repeatedly entering incorrect answers to these validation questions. The questions are generally pre-selected by the system administrator who set up the reset product, although some allow the user himself to choose what questions he prefers to answer.
To load a profile database with user information, an IT department usually introduces the self-service solution to end users with an email and one-click links to the process. Yet no matter how many admin emails are sent out, some portion of users will fail to set up a password profile if it is a voluntary process. This issue can be avoided with profile preloading, in which an organization may load the profile database with HR data such as SSNs or mothers' maiden names.
|
