There is no getting around it… online resources are and will always be protected by one or more forms of authentication. Given all of the savvy “bad people” out there that go to great lengths to try and compromise our valuable resources, authentication is here to stay. But why does authentication cause the user so much pain and why can’t a few Ibuprofens help to alleviate the burden? Well, for one thing, authentication pain is not physical. Its effects are emotional and psychological in nature and can lead to unnecessary stress. Self-Service Password Management (SSPM) has the “medicine” to help reduce the swelling caused by authentication. SSPM is technology that puts mechanisms in place to help reduce the obstacles and frustration that can be caused by authentication gone wrong.
Let’s take a look at a possible real world scenario of how authentication can cause pain to both the user and IT staff and how SSPM can alleviate the suffering.
Curtis starts his first day of work after graduating from college and is given his first professional password but doesn’t have a lot of password experience. At his first login on his very first day in the “real” world, he is forced to change it so he will be the only one that knows the password. However, so the password can’t be easily guessed by a would-be intruder, company policy forces Curtis to come up with a complicated password with multiple alpha-numeric characters and special characters, including upper and lower case values.
It turns out that Curtis started on a Friday and after a weekend of celebrating with his friends he returns to his second day of work and much to his dismay, can’t remember his password. Not knowing any better, he continues to try variations of what he thinks it is until his account is locked. Now what does he do? This real world is tough and especially on a Monday. His supervisor, Kathy, sees him struggling and asks if she can help. Curtis is relieved to learn that there is an IT help desk that he can call to get his password changed. The call with the help desk is less than enjoyable. First he ends up in a queue for what seems like 20 minutes. His 2nd day of work and he has not been productive his first hour. When he finally gets to speak with someone, they are short with him and not as helpful as he would have hoped. He does finally get a new password and gets his account unlocked with some unnecessary scolding from the help desk. Curtis thinks, “I am not going to have to go through this again” and writes his new password on a post it note, sticks it on his monitor and finally gets back to work.
At lunch, he is discussing his ordeal with some of his new coworkers and learns that the help desk personnel are like that because they are usually swamped the first day of the week with many users forgetting their passwords over the weekend. Having to spend so much time on password issues first thing in the morning, puts them behind on their priorities for the rest of the week. He also found out that company policy does not allow passwords to be written down. Now he can’t get back to his desk fast enough to take down that sticky note.
Without being able to write down his password, he manages to forget it a few more times until he finally creates one that he can memorize. Just when he thinks he has clear sailing with his password troubles, he comes into work and upon logon is instructed to change his password because it has expired. What?! Why is this so? Again, Kathy is there to explain to Curtis that company policy requires passwords to be changed every 90 days just in case one gets compromised. This is devastating news to Curtis because he believes he will go through the torment of not being able to remember his password again and decides to do some research on the matter to see if others are experiencing his pain.
Curtis uncovers that there is a world of hurt similar to his and other companies have been alleviating it with a technology referred to as “Self-Service Password Management” (SSPM). In a nutshell, SSPM puts the power of resetting forgotten passwords or unlocking a locked account into the end user’s hands. This excites Curtis and he digs in to learn more and puts together a proposal for his supervisor and their manager.
The proposal explains that when a user forgets their password or has a locked account, the user is able to “on their own” authenticate themselves by a means other than their password and reset the password. Generally speaking, the user can answer challenge questions that they had previously answered during enrollment or they may submit a One Time Passcode (OTP) that they receive through email or a phone (voice or text). Before the SSPM can be used, the first time a user logs in, they will be asked to answer a number of questions and/or register their phone number. Should the occasion arise that they have locked their account or forgotten their password, they can navigate to the SSPM website on their own, enter their username and then request to reset their password and/or unlock their account. The application will ask what type of alternate authentication method they would like to use, challenge answers, phone OTP or email OTP. The user is then either presented with questions that they will know the answers to or be sent an OTP that they can enter at the website prompt. The website authenticates the user with this alternate method and then allows the user to specify a new password and/or unlock the account.
Needless to say, this proposal quickly makes its way to upper management and within a few weeks Curtis and his fellow employees are enjoying Self-Service Password Management.
Now our hero enjoys his weekends because he knows if he forgets his password on Monday, he can visit the SSPM website, answer some questions and reset his own password within a matter of minutes and then get back to being a productive employee.