Note from Michael: this month we’re going to try something different with this series by breaking the articles up into smaller chunks and serve them on a weekly basis. Same series, same great content, delivered in smaller chunks. Cool?

By now, you’re so sick of userID cleanup that you’re probably wondering why you didn’t select a more pleasant career – like tax collector. The good news is that if you’ve made it this far, your userID cleanup days are over! Congratulations on defeating that monster – it was a big one! As long as processes are in place and being followed to keep the data clean until identity management takes over, you’re home free on userID management. Unfortunately, there are other types of cleanups yet to be done, but those come later so let’s not spoil the moment.

Why all the painful and tedious cleaning and prep with no apparent return? In my experience, the organizations that avoid instant gratification syndrome by taking the time to build a solid foundation run smoother and faster during the balance of the implementation. It all boils down to investment – and paying some dues.

Having a clean user base sets the needed foundation on which to build productive functionality like password self service, which is this month’s topic.

Introducing password self-service

Password self-service is identity management functionality that enables end-users to reset their own password should they forget it. This is done by having the user register (or pre-populating from HR records) answers to some personal questions. If the user forgets their password, they simply click on the “forgot password” link, which takes them to the self-service page. The user supplies their userID and then they are prompted to answer a subset of the questions. If they answer correctly, they are allowed to reset their password. This is common practice on most banking sites, so most of us are familiar with this technology – at least from an end-user perspective.

Password self-service is considered by many to be a good first step in the identity management journey since it promises a significant return on investment (ROI) – done right, it can reduce calls to the help desk by as much as 40%. But only if it’s done right. Proper planning and implementation are critical to successful password self-service. Fail here, and the number of calls to the help desk can actually increase!

The dream of Single Sign-On; the realities of passwords

Let’s talk for a moment about Single Sign-On (SSO) – the holy grail of passwords. Conceptually, SSO means that a user logs in once in the morning, and then all other logins that they’d normally have to perform throughout the day are handled magically (and hopefully securely) in the background to save the user a lot of brain cells in remembering various passwords, and time in typing them. Nice idea, but in practice single sign-on simply does not exist.

Today’s reality is reduced sign-on – meaning, there is some background magic, but the biggest part is just having synchronized passwords across the environment, and/or encouraging/enforcing the use of directory-based authentication. Both of these practices achieve the same result: only one password to remember instead of many. Users still have to type their password in when prompted, but they only have to remember the one password.

As we focus on password self-service – which allows for synchronization and resets on the primary directories – it is natural to be lured by the sweet song of SSO, but resist the urge – believe it or not, SSO has little or no ROI.

How is that possible?

What costs money is the time spent by help desk personnel in resetting passwords – on average it may take three minutes for a help desk representative to reset one password, and a large company may get thousands of calls per month. Actually typing in known passwords takes very little time – let’s call it five seconds per typing. If a user has to type in their password 10 times per day, as long as they know the password this amounts to less than one minute per day of effort. Unless the organization is just that high-performing that an extra minute per day matters, the ROI is negligible when compared to the cost and effort it takes to fully integrate the systems to enable SSO.

Now, if a full integration is warranted for other reasons – like auto provisioning/deprovisioning and user recertification, which have a positive ROI – SSO can be a nice added bonus. More on this in August.


The key to a successful password self-service implementation is having underlying processes that can handle being automated, and also making sure that end-users understand what to do, why, and how. This means:

  1. Having an appropriate password policy
  2. Determining usable challenge questions
  3. Creating an initial password formula that works
  4. Developing a robust training plan for your users
  5. Training the users

Each of these processes has some nuances and gotchas that – if properly handled – can really ease the implementation. We’ll get started with password policies in the next article and cover all five processes over the course of the month.

About the Author Ioana Bazavan Justus

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.