As IT industry we have failed here. We should wear T-shirts with “password of shame” written on them. Just to give you some numbers – one of our customers is spending 500 000 USD per year only on resetting WiFi passwords.
The end game is that we will get rid of passwords. We will provide strong authentication and SSO for applications… We are getting there. But for now, let’s deal with password resets.
So how we can tackle password reset problem from tools perspective?
Let’s explore two options:
- Microsoft Identity Manager – deployed on-premises for your local Active Directory
- Azure Active Directory – self-service provided to handle cloud and on-premises accounts.
MIM – Microsoft Identity Manager
Starting with on-premises Active Directory – there are plenty of solutions. The one that Microsoft offers is Microsoft Identity Manager or MIM in short. It gives you an option for self-service password reset coming out of the box.
Just plan it. Deploy it. Get your users on-board. MIM allows you to verify users for password reset with few options:
- Q&A gate – we all know it, just put the name of your first dog there.
- One-time-password sent over SMS or e-mail.
The latest addition to MIM – you can use Azure MFA as a gate with either call or SMS for authorization. If you want to use your SMS provider you can also do this.
Moreover, you can combine these options into multiple steps of verification. Or alternatively, create separate options for different groups of employees (like various countries or internal versus external). Once the service is configured, users can do password reset through a web page or from mobile phones. You can also integrate it with a workstation logon screen with dedicated client package.
One key feature here is that you can pre-register people for this service so they don’t have to take any steps upfront to start to use it. This is, in fact, a scenario we are deploying in 90% of cases right now. The user is registered in a password reset system based on their information coming from HR or Active Directory.
AAD – Azure Active Directory
Now let’s explore a cloud-based option – Azure Active Directory is providing self-service password reset for your users. To do this go to your tenant configuration and configure simple password reset options.
What you need to do is to enable it and configure this option to be available for all users or only for a selected group. You can restrict access to this option to a selected group – this is useful for a pilot – or allow anyone to do this.
Next, you need to configure the options available to the user when doing a password reset and the verification steps required.
Your choice is similar with an on-premises solution:
- The code sent to the phone
- The code sent to alternate e-mail
- Or a security question about your dog’s last name.
Users need to get on board with this process. You can configure options to force them to be registered. Next, log on to the service and the user will be prompted to set their password-reset options. My advice is to take this into consideration and prepare some educational materials for users before rolling it out. You don’t want to get your users by surprise. It requires some action from them, and it is always hard.
However, the good news is that recently there have been some updates in Azure AD and if you provide a mobile phone number as part of your user data, you will be able to automatically use it to register people in self-service password reset.
So now, let’s make things a bit complicated – what if you had on-premises users synchronized to the cloud? One option is to use MIM and to do this process entirely on-premises as I’ve explained to you a moment before.
But if you are using AAD Connect you can also use Azure AD self-service which we have just discussed. What you need is to configure password write-back option, and that’s it. Now your Azure AD can reset password in an on-premises environment.
By the way – both solutions, MIM and Azure AD allow you to handle account lockout as well. Now that we know our options, let’s share some experience from the real world.
Password reset – best practices
Plan this process. Change is hard, and you need to educate your people. Putting the service in place is not the end of the project. You need to get this message to your users. You also want to limit the friction related to the service. Plan educational materials, instructional videos, and anything to let them run with it quickly.
Then, plan your enrollment. The user needs to enroll into the service – this is where the majority of the users fail. Good news is that for both solutions I talked about today you can help to enroll people into the service if you have required information like the user’s phone number.
The last thing – I will reveal a secret… remember those security questions? THEY DON’T WORK. DON’T DO THIS TO YOUR USERS. They can’t remember questions they answered or to be sure to remember it clearly, they put simple answers. In the first case, it makes them frustrated with such a solution. In the latter, it is bad for your security.
So, design your workflow with mobile phone and codes. What works from our experience is a combination of simple questions based on something that the user recognizes and OTP over SMS or MFA.
And here we are. With password reset problem. And solutions for it. Simple as that, yet many organizations still suffer from this issue. I hope you have found this article interesting and it gave you some idea how you can address this problem in your organization.
And if you still need help – get in touch!