This is a two-part post giving advice on what you should look for when choosing a password self service solution. Its by no means definitive but should give you the building blocks needed to make the right decision for your organization.
During the writing of this article it became quite apparent that we needed to split this post into two; not only to reduce the size but more importantly to distinguish two clear separations of concern. This first part covers key tangible features to consider in a final solution such as password resets and authentication, while the second covers more long term items that are more business focused such as product roadmap. So with that preamble let part 1 begin.
The first step is understanding where password self service solutions can help. The common case is in reducing large support volumes. Its not uncommon to find educational institutions or large enterprises losing several weeks a year resolving password-related issues. The average cost of a password reset or account unlock is around $15-$20; if the accumulated time spent is near enough one man-day a month then you could really benefit from a password self service solution.
Another way password self service solutions can be of benefit is being part of your organizations security arsenal. A lot of businesses find that access to the network is well locked down with applications secured behind firewalls and DMZ’s. But one thing they lack is security from the end user’s perspective. Passwords are so commonplace that people can become complacent with their use; repeat, simple, low entropy passwords can result in increased attack vectors. Password self service solutions can help combat identity theft, account hacking, data theft and improve security practices of your end users by introducing strong password policies with the ability for a user to self reset should they forget.
What do you look for when evaluating potential solutions?
It goes without saying that any offering needs to cover the basics: enabling end users to reset their own passwords; unlocking their own accounts and changing passwords. In addition you should be able to see the chance to reduce support load, make end users lives easier and understand how a solution can complement your security infrastructure.
The most common user datastore is Active Directory so any solution needs to provide support for the most common variants, Active Directory for Windows 2003 and Windows 2008. Support for other systems is also something to consider a lot of businesses use Unix-based systems due to their attractive licensing options. Being able to consolidate users across different systems under a single identity under a single console can be quite compelling.
Security needs to be an important factor with the internet rife with reports on identity theft, hacked accounts and stolen data. Typical solutions rely on questions and answers authentication during end user interaction but consideration should be given to other forms of authentication, SMS, OTP etc. Consideration should be given to the depth of authentication factors available and multi-factor authentication.
Reporting gives admins and management the data they need to effectively manage the business. At a high-level a business can garner basic information such as number of locked accounts, password change activity but a more in-depth approach can lead to identification of potential security holes such as unused accounts or erratic password behaviour. Having a solution that can provide that insight can be very useful and a great source for proactive security.
Remote workers are part and parcel of many businesses these days and on the whole with the advancements in smart phones most products can be accessed on the move but its one thing being able to access a browser frontend on your phone but its an entirely different thing having a solution that caters for mobile users specifically. For example, Nervepoint Access Manager has mobile access that not only provides the defacto set of actions you can find in the web browser version but at the admin level it can be managed completely separately from the web browser version. You can alter the forms of authentication being used by mobile access over the web browser version and even have a unique set of branding options. Remote access adds a new level of risk to user accounts and identities and with so many users accessing the network remotely and the advent of BYOD, its becoming more important that solutions are mobile ready and that they can specifically manage and cater for mobile users rather than just being a scaled version of the web browser.
This post has identified some key features you should consider when evaluating a password self service solution from the core components to support for the mobile workforce. When weighing up any solution these items should be considered in your overall competitor analysis process. Depending on your needs there will also be other features you might need to consider. The next post will highlight some business features you should think about, items that aim to benefit you more long term.
Nervepoint Access Manager is a complete identity password self service solution empowering end users to manage their own accounts, reset forgotten passwords, unlock accounts, update profiles, provision accounts and more. It has an actively evolving product and as ever has no per-feature fees. Plan your budget with confidence, because there will be no surprise fees down the road.