Password and Identity Management: You’re doing it all wrong!

In the past 10-20 years, most medium to large organizations with identity management have deployed some sort of password management automation.  This may be a self-service password management web portal, integrated to the corporate Active Directory, possibly with connectors to other applications and even code installed on corporate PCs, to enable locked out users to get help.

Sounds simple.  So why is the password-related call volume at the IT help desk high (still or again)?

To understand why password problems remain, we have to start with the basics.

Why did your organization deploy a self-service password reset system? Almost certainly in order to drive down help desk call volume, offer 24×7 user service and reduce IT support cost (i.e., operate the help desk with fewer people).

How do you get ROI from a self-service password reset system?  By changing processes so that (a) users experience fewer problems and (b) users resolve their own problems without calling the help desk.

Sounds simple.  So what’s not working?

First, few organizations bother looking at root causes.  If you want to minimize password problems, then arrange for users to have fewer passwords (single sign-on, password synchronization, federation,   directory integration, etc.), examine and perhaps update your password policy and control when users are invited to change their passwords (hint: Friday afternoon is not a great choice!).

Next, to get users to resolve their own problems, you have to get a few things right:
(a) users must be aware of the service.
(b) the service must be available when users have a problem.
(c) the service must be reasonably easy to use, so they don’t just give up and call anyways.

Many organizations encounter problems with at least the first two criteria above.   For example, if users don’t enrol security questions or have some other way to authenticate when their password is forgotten or locked out, then self-service will be useless to them.  If the password reset UI is not available right from the login screen — whichever login screen, at the time and location where the user has a problem, then users will call in.

In short, maximizing user enrolment prior to users experiencing a password problem is key to success.  If your organization doesn’t have a plan to engage with the user community, to get them to answer security questions, enter their mobile phone number (for SMS/PIN authentication), provide a voice sample (for voice biometric authentication), etc. — then only 10% to 20% of users will provide this data, so at most you can only drive down 10% to 20% of password-related help desk calls.

You also have to consider where users are (physically and in relation to login screens on their own or your corporate PC) when they need help.  This has gotten more complicated in the past few years.

Users may have to type a password before starting the operating system, because your organization has (wisely) deployed a full disk encryption (FDE) package, such as McAfee EndPoint Encryption or Symantec Drive Encryption.  This means that a web-based password reset solution, or even one that integrated with the Windows login screen, just won’t work (web browser?  The user hasn’t even booted their OS yet!).

If a user forgets their pre-boot password, you have to provide self-service that they can access from their phone (their PC is effectively a brick), which integrates with your FDE key recovery server.  Without this, password reset (at least for users who forgot their pre-boot password) is inaccessible to many users.

What about the Windows login screen?  Technology to offer self-service password reset from the login screen has been offered by many vendors for years, for example through a Credential Provider for Windows Vista or later, or a GINA DLL for Windows XP.  The trouble is, your workforce is probably mobile, and most of these products only work when a PC is physically attached to your corporate network.  Once the user moves away from his desk — working on your campus using WiFi, or elsewhere via wired or wireless connectivity plus a VPN — all bets are off.

To enable self-service password reset for disconnected users, who may be working off-site, the password reset system not only has to integrate with the Windows login screen, but also with WiFi   infrastructure and your corporate VPN.  Without this, mobile users cannot access self-service password reset.

So what now?

Simple: upgrade your password reset system to a modern solution, that can reduce password problems (synchronization, carefully timed password change reminders), which actively engages users to get them to enrol and which works not only from a web browser and PC login screen, but also pre-boot and off-site.

Idan Shoham
CTO
Hitachi ID Systems

Click here to find more information about Whitehall Media’s Identity Management conference.