According to Forrester, a single password reset can cost an organization $70. As eye popping as that figure may be, it pales in comparison to organization wide password reset costs. Gartner estimates that up to 40% of all helpdesk calls are related to password resets (source). The sheer volume of password reset requests has led Forrester to estimate that large organizations are spending about a million dollars per year on the staffing and infrastructure that is necessary for handling password reset requests.
IT pros have long acknowledged that organizations can reduce costs while also lessening the burden on helpdesk staff by taking steps to reduce the number of password reset requests. In recent years, NIST, Microsoft, and others have revised their longstanding password best practices and some of these new guidelines have helped to reduce the volume of password reset requests. At the same time, however, some organizations are finding that complications stemming from remote work are negating the benefits gained by adopting the new password best practices (such as no longer requiring scheduled password changes).
So, what is it about remote work that so often increases the volume of password reset requests, driving up helpdesk costs in the process? The problem is tied to the way that the Windows operating system uses cached credentials.
Cached credentials are a safety feature that is built into Windows. Microsoft realized that there may be situations in which a device may have trouble communicating with a domain controller, making it impossible to log into and fix the problem. Cached credentials make it possible to log in to a device when no domain controller is available. Unfortunately, cached credentials can sometimes create password mismatches across devices. These mismatches can be costly and time consuming to resolve.
Imagine for a moment that a hybrid worker goes into the office and logs on to the network using a domain joined desktop. While the user is online, they are prompted to change their password. At this point, the Active Directory knows the user’s new password, but the user’s laptop that they use for remote work is unaware of the password change. Hence the user has one device with the old password and another device with the new password.
Resolving the mismatch typically means getting the helpdesk involved and bringing the laptop into the office. This type of fix can be far more costly than a typical password reset because of the work that the helpdesk must do to correct the issue.
How Specops can help
If an organization is to drive down its password related helpdesk costs, it needs to do two things. First, it needs to reduce or eliminate password related calls to the helpdesk. Second, it needs to prevent cached credential mismatches from causing password issues in the first place. This is where Specops uReset can help.
Specops uReset is a self-service password reset solution that allows users to reset their own password without helpdesk intervention. Not only does uReset allow users to take care of their own password resets, but users can also unlock their account if it becomes locked due to too many failed logon attempts. These capabilities can significantly reduce the helpdesk call volume, leading to immediate cost savings. However, uReset can also help in other ways.
When a user requests a password reset, uReset updates the user’s locally cached credentials, preventing a mismatch from occurring. This helps to prevent account lockouts, while also reducing end user frustration and eliminating some of the most costly password related helpdesk calls.
As a user resets their password, uReset guides them through the process with dynamic feedback that clearly shows how the user’s chosen password aligns with the organization’s password policy. In other words, when creating a password, dynamic feedback is given to know if the intended password is policy compliant and if not what they should do to fix it. Because of this dynamic feedback, the user should never have to call the helpdesk to figure out why their new password is not being accepted.
End-user password feedback with Specops uReset
Security is an important part of the password reset process, so any time that a user enters a new password, Specops uReset masks the password to prevent shoulder surfing. Specops uReset also enhances login security by extending multi-factor authentication to self-service password management.
Multiple authentication options guarantee that users will complete the password-reset task, even if an identity provider is unavailable. For example, if a user does not have their device when a password reset need arises, they can still verify with the social identity providers in their enrollment. Since not all identity providers are equally secure, administrators can assign each identity provider with a trust value, based on their perceived level of security. This means that one identity provider can be worth twice as much as another during authentication. Users who choose high-trust providers will have fewer steps before they can reset their account. These MFA options ensure that the password reset process is secure, without the human element of verification.
Specops uReset helps organizations to improve their password security, while also driving down helpdesk costs and making life easier for end users. You can test it out for free in your Active Directory.