Gartner: The Facilitated Password Process

The password reset process is getting into focus as the number of security breaches grow. Gartner analyst Lori Robinson has in (G00297006) 'Future Proofing Your Password Management Solution' made the following observations:

'The Facilitated Password Reset

The reality is that no matter how foolproof an SSPR (Self-Service Password Reset) solution is, the need for service-desk-assisted password resets will likely always be there.

The problem is that the most PM (Password Management) tools were designed for the individual user, and not a delegated administrator or other individual acting on behalf of the user. If a user calls the service desk, the service desk technician must resort to less-secure means to authenticate the user, such as:

■ Exposing the user's password to the service desk technician in plain text.

■ Displaying the challenge questions and prearranged responses to the technician.

■ Providing the technician with personal data about the user for purposes of vetting (a social security number, for example).

To add salt to the wound, some enterprises use the authentication means above, but have not implemented any tools for auditing or monitoring service desk personnel.'

The primary observation is that even when you have a self-service solution you will continue to have a facilitated password process at the service desk. The second observation is, that it is a true challenge to make that process secure and compliant.

A third observation might have been that if you don't have an SSPR solution then 100% of your password resets and unlocks are done in the facilitated password reset process, and it must be a security nightmare if you don't have a well-defined process.

Please share to this blog how you protect the users' passwords in the facilitated password process!