Active Directory password reset is a day-to-day routine for help desk, which takes a lot of time. Statistics shows, that IT support personnel handle password reset calls for almost 40% of their working day. This procedure for each call includes greeting, authentication, execution of reset, confirmation, and goodbye. On the basis of this, multiple surveys were conducted. These surveys took into account an average help desk wages, percentage of password reset calls and time consumption. By generalizing their results one can see that an average cost per password reset call varies from $15 to $20, which is pretty expensive. So is there a way to minimize password reset expenses without loss in security? Adaxes allows decentralizing password reset/account unlock by providing secure Self-Service Password Reset to end-users.
Self-Service Password Reset, which enables end users to reset Active Directory password on their own, can provide significant reduction of costs for your company. Let’s say an average salary of a help desk employee is $50 000 per year. With 40% of time spent for password resetting we get $20 000 spent for paying it. But not only IT support spends time for password handling. Users as well waste their working time, waiting for it. Though it is only 20 minutes (in average), but in a scope of a large company it results in significant money losses. If we take a look at statistics, we'll see, that a company with 1000 users and average password reset activity can save about $20 000 per year. As one can see, the result of introducing the Self-Service Password Reset solution is very promising and, in average, the return of investments takes a couple of months.
Any rights delegation to end-users is risky and increases the possibility of malicious actions. That is why Self-Service Password Reset must guarantee that a user, who initiates password resetting, is really eligible for this. So it is crucial to use strong identity-verification procedures.
Adaxes provides two means to deliver secure Self-Service Password Rest to end-users: security questions and answers and verification codes. Users can pass authentication by answering security questions from their personal Q&A profile and/or prove their identity by entering a verification code received by e-mail or SMS. Nevertheless each method is quite reliable, it is strongly recommended to combine them. Thus you can prevent system access, which could be possible as a result of receiving an SMS code to a stolen mobile phone and/or guessing answers that became much easier with the growth of social networking.
Though the reliability of these methods is quite significant, additionally Adaxes Self-Service Password Reset enables efficient security measures to prevent hacker attacks. First of all it is user account blocking after a certain number of failed authentication attempts. The second measure is email notification that informs users about password reset via Self-Service Password Reset system and prompts them to contact administrator if reset was not done by them. The third one is captcha – a word verification image that helps prevent brute force attack. One more useful measure is statistics. It shows all the information about password reset activity, including IP addresses of hosts, from where password reset was initiated. By monitoring multiple failed authentication attempts made from one or several IP addresses, one can localize a host of possible attack and apply preventive actions.
In any company there are a lot of types of users with different privileges. The more rights a user has, the stronger security policy his/her account must have. Administrators, for instance, have significantly wider range of rights, than general users do. That is why administrator accounts require a more severe Self-Service Password Reset policy. Regular users, in turn, can have less severe verification procedure. To embody such an objective, Adaxes allows diversifying Self-Service Password Reset procedures for various user types. Thus administrators can have a lot of security questions and low number of verification attempts. The same can work for help desk, but with less number of questions. General users can have the most modest policy.
Such an approach provides an easy and flexible way of applying strong verification requirements and security measures to users, who really need it, and delivers lighter procedures for others.
Adaxes Self-Password Reset allows users to reset their passwords when they are not on the corporate network. So, when somebody takes a domain-connected laptop home or on a business trip, they won’t be locked away from their computers if they forget a password.
For more information on Offline and Offsite Password Reset see this article.
Unlike verification via SMS or email, which does not require any introductory actions from a user, Q&A verification includes a preliminary step of defining security questions and answers. This process is called enrollment. Enrollment is an easy process of selecting security questions and answering them, which is implemented in Adaxes Active Directory Web interface. Though this process does not take a lot of time, many users are too lazy or simply forget to perform it. To inform and notify users about the necessity of enrollment, Adaxes Self-Service Password Reset provides the ability of sending periodical enrollment invitations. This helps reach up to 100% of user enrollments throughout the whole company within a tight deadline.
Adaxes Self-Service Password Reset allows monitoring password reset activity via convenient statistics. It enables checking the number of enrolled, not enrolled and blocked users, as well as failed/successful password resets. All these data are presented in a handy and user-friendly manner.
Adaxes Self-Service Password Reset enables users to reset their passwords or unlock accounts anywhere at any time. It can be done via Windows logon screen that is essential for office users or Web Interface, which is very helpful for those, who work remotely. Everything takes just a few minutes.
The procedure of self-password resetting or account unlocking is pretty simple.
By clicking the Reset password link in Windows logon screen or Web Interface a user gets to the Self Password Reset wizard, where he/she is asked to enter a user name.
If SMS or email verification is enabled, a user will be asked to enter a code sent to his/her mobile phone or mailbox.
After code confirmation, a user is asked to answer security questions.
In case of success, a user obtains the right to reset a password.
If account unlocking is enabled, locked out users can also unlock their accounts.
One of the common problems users usually face is password requirements, set by the password policy. Frequently, passwords are rejected due to incorrect length or characters issue. This confuses and irritates users, because they do not understand what’s wrong. Finally, they will have to contact help desk to find out the reason of reject.
Adaxes helps resolve this issue. It is possible to configure Web Interface to show a custom message with password requirements and allow users to check an effective password policy.
Also, Adaxes enables generating a strong secure password, that would correspond to all the requirements of the password policy, and spell it out for better remembering. All these features will help end-users to perform password reset seamlessly in a very short time.
For now, Self-Service Password Reset is the only way of conducting decentralized, secure and efficient measures for Active Directory password resetting and account unlocking throughout the whole company. It provides return of investments within a couple of months and keeps working for your company, guaranteeing streamlined workflow and saving resources.