Three Reasons Why Password Self-Service Enrollment Fails, and What to Do About it!

Written by

When rolling out user-centric solutions, adoption is key – and in the case of password self-service, adoption starts at enrollment. If enrollment is too burdensome, not user-friendly and overly complex, users may revolt and simply revert back to using the helpdesk. However, it doesn’t need to be that way.

The catalyst for implementing password self-service in your organization likely has its roots in a need to reduce helpdesk calls while improving organizational security – particularly as most organizations have shifted to some variant of a hybrid-remote workforce. The benefits of leveraging a self-service password reset solution are cause enough for IT teams to make certain the solution gets implemented. In the case of password self-service, the success marker is found at enrollment; get users past providing personal details enough for the solution to be able to identify an account owner, and the everyday use of password self-service becomes very easy.

However, not every organization is successful in implementing password self-service enrollment – and there are a number of reasons why:

1. The Solution Has Limitations

Not all password self-service solutions are created equal. Legacy platforms that use a never-ending list of enrollment questions may come across as a bit incessant to users, potentially making them feel like they’re revealing personal information (e.g. mother’s maiden name), not to mention that answers can be easily sourced by attackers and often times users forget the answers leading to a service desk call. There are more secure, modern and easier to implement identity verification methods that can be used to identify users. These include the use of biometrics, third-party identity providers and even social identity providers. The lack of support for these additional and familiar methods of validating an account owner’s identity only lengthen the enrollment process and can create user disinterest in completing the action.

Additionally, enrollment traditionally has two problems. First, it’s manually accomplished by the user (as in the case of answering enrollment questions), and second, there is little intervention by IT to influence users to complete the enrollment. Modern solutions address these two issues through advanced enrollment options, such as automating enrollment by utilizing details within Active Directory or another identity provider, or through enrollment notifications where the user can be reminded via a number of methods.

2. The Setup is Incorrect

Whether it’s a case of not having enough knowledge about the solution or a lack of guidance around how to properly configure it, the end result is you don’t have the solution and its enrollment configured properly. For example, many password self-service solutions support establishing profiles where users with different levels of risk to the organization can be required to enroll using risk-appropriate levels and amounts of enrollment verification.

For example, the mailroom clerk may only need to answer a few questions, but the CEO may also be required to setup an App on their mobile device and use one or more third-party or social identity providers. If the setup of your solution isn’t done correctly, these two may have the same level of enrollment. Also, if it’s much closer to ‘everyone’s configured like the CEO,’ you’re going to see a large number of employees giving up and skipping enrollment altogether.

3. Your Rollout is Ineffective

Rollouts of solutions that change the core behavior of a user need to be implemented with care. Before a password self-service solution, users would simply call the helpdesk. Now you’re asking users to behave differently to solve the issue of resetting their password. So, the rollout requires a few things. First, communication. IT needs to communicate with users about both the need to enroll and explain why it benefits the user. If users see this as yet another solution being shoved down their throats, it’s going to fail. This type of solution makes the user’s life easier over time. Let them know that. The rollout also needs to include IT service desk policies to ensure that agents are proactively encouraging users to enroll in the solution. Additionally, it’s always a good idea to have identified and enrolled internal champions – users with technical prowess – before the rest of the user base. Internal champions will assist in encouraging other users that aren’t so technically-minded to complete the enrollment and focus on the ease of password resets in the future, should they be necessary.

In essence, password self-service enrollment needs to be a process that is intuitive, simple, non-invasive and seen as an advantage to the user who completes it. By considering the reasons above and looking at them as potential pitfalls, organizations seeking to implement a self-service password reset solution can design and configure both an enrollment process and use of the solution that finds a balance between security and productivity that meets the needs of both IT and the user.

What’s hot on Infosecurity Magazine?