Self-Service MFA Resets & Password Resets

by
Nametag Team
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

What happens when you get locked out of your work accounts? Frustration for you, big costs for your company, and a huge security vulnerability. 

Maybe you forgot a password: you’ll probably have to enter a verification code sent to your email. But what if you can’t access your email? Or maybe you upgraded your phone and need to reset your multi-factor authentication (MFA). You’ll probably have to call your company’s IT helpdesk to reset it for you.

Account recoveries like these create a big problem for corporate IT teams: Gartner estimates that up to 50% of IT helpdesk tickets are just for password resets. Add multi-factor authentication (MFA) resets to the picture, and the number is likely even higher. Self-service account recovery is one way to relieve helpdesks of this burden. But insecure verification methods during account recovery create huge security gaps that bad actors are exploiting.

Nametag solves this problem with the world's first secure solution for self-service account recovery, Nametag Autopilot. Through Autopilot, you can deflect half of your helpdesk tickets, saving millions of dollars and tens of thousands of hours, while protecting your employees’ accounts.

Read on to learn more about how and why to set up self-service password and MFA resets.

What is Self-Service Account Recovery (SSAR)?

Self-service account recovery allows people to reset their own account passwords or multi-factor authentication (MFA) without needing to involve IT or support resources. Where self-service password reset (SSPR) can only handle passwords, self-service account recovery (SSAR) encompasses both passwords and MFA resets. Read more about Nametag Autopilot in our launch announcement here.

Traditionally, account recovery involves one of two approaches:

  1. Assisted account recovery, wherein users have to contact IT or support for help. This creates a substantial burden on the support organization responsible for handling lockouts: according to Gartner, 20-50% of support tickets are just for password resets. Assisted recovery is also vulnerable to social engineering attacks: hackers breached MGM with a 10-minute call to the helpdesk, costing the casino giant over $100 million.
  2. Self-service account recovery, wherein users reset their own passwords or MFA after verifying themselves. This eases the burden on support, but until Nametag, helpdesks had to use traditional verification methods that are easy for bad actors to exploit.

Why Should I Enable Self-Service Account Recovery?

Self-service account recovery is not just a matter of convenience; it's a strategic imperative. IT organizations spend millions annually handling account lockouts, while frustrated employees and managers lose hours or even days of productivity. Moreover, outdated recovery procedures leave the door open for hackers to take over user accounts, leading to data breaches and ransomware attacks.

20-50% of helpdesk tickets are just for password resets, each of which costs your organization $87 (with standard identity verification) to $162+ (with visual verification).

Research shows that 56% of employees reset a password at least once per month. As a result, Gartner found that up to half of all IT helpdesk tickets are just for password resets. Add MFA resets to the picture, and that number is likely even higher. One estimate found it can take anywhere from 20 minutes to 1.5 hours to reset a password and log back in, adding up to tens of hours of lost productivity per employee per year.

In dollars, every password reset costs $87, according to Forrester, and that’s using traditional verification methods. Visual verification via video call, now considered a best practice by Okta, is even more onerous, costing $162 or more per verification. And multi-factor authentication (MFA) reset is more complex still, typically requiring an IT administrator.

[Hear from HubSpot’s CISO why he chose Nametag to automate their users' MFA resets]

For IT directors, adopting an automated account recovery solution can dramatically improve helpdesk efficiency. Being able to offer self-service password and MFA resets eliminates tickets, freeing helpdesk agents to focus on other initiatives.

How Do Traditional Self-Service Password Reset (SSPR) Tools Fall Short?

Traditional self-service password reset (SSPR) tools rely on security questions, one-time passcodes, and authenticator apps to verify users. These methods are very vulnerable to even the most lazy of bad actors:

  • Answers to security questions are often available online
  • Email accounts can be accessed with stolen credentials
  • Authenticator apps can be exploited by push fatigue attacks
  • Text messages can be intercepted via SIM swap or trojan

These “traditional” verification methods are also extremely frustrating for users. People often forget their security questions, and sometimes, a passcode just never arrives. If you’re updating your phone’s software, you may not be able to access your authenticator app for a few hours. And if you lose or upgrade your phone, you’ll need to reset your MFA. When you run into these problems, you’re forced to call the helpdesk—defeating the purpose of SSPR.

How to Enable Secure Self-Service Password & MFA Resets with Nametag

Nametag saw these problems with SSPR offerings, and decided to solve them with Nametag Autopilot, the industry’s first secure self-service account recovery (SSAR) solution. Employees can use Autopilot to securely reset their own passwords and MFA without needing to involve the helpdesk.

The experience is simple and fast, with unmatched security. Verification takes under 30 seconds for first-time users and under 7 seconds for return users. Users navigate to your Nametag microsite, enter their work email and scan the QR code, which launches the Nametag experience on their phone (no app download required).

Next, they scan their passport, driver’s license, or other government-issued photo ID, and take a quick selfie. Nametag supports over 11,000 forms of ID documents from around the world, and uses AI-powered facial biometrics to validate their selfie and compare it with their ID document. Once verified, users can proceed to reset their passwords or MFA.

[Nametag unveils the world's first secure self-service account recovery solution, Nametag Autopilot. Read our announcement and watch a demo]

Behind the scenes, Nametag leverages mobile cryptography, device telemetry, and proprietary AI models to eliminate critical attack vectors such as digital injection attacks and AI-generated deepfakes. Other providers, including most KYC tools, are highly vulnerable because they have to allow in-browser workflows, the use of webcams, and document uploads.

[Learn more about digital injection attacks]

Learn More

In the past, IT teams have had to choose security or efficiency. With Nametag, you can have both. We’ve made substantial advancements that allow you to finally enable secure self-service password and MFA resets. Nametag Autopilot can save 30% of your helpdesk costs by deflecting password and MFA reset tickets to self-service, while stopping account takeovers that lead to data breaches and ransomware attacks.

Then contact us to get started with self-service account recoveries today!

Secure your helpdesk against social engineering and impersonators.
Decline
Accept All Cookies