Account recovery creates a big problem for IT and support teams. Gartner estimates that up to 50% of IT tickets are just for password resets. Add MFA resets to the picture, and that number climbs higher. Self-service account recovery (SSAR) can solve this problem, but some approaches can actually undermine your security posture. Outdated verification methods create security gaps that bad actors are actively exploiting. Read on to learn how to set up secure self-service for password and MFA resets.
What is Self-Service Account Recovery (SSAR)?
Self-service account recovery allows people to reset their passwords or multi-factor authentication (MFA) on their own, without needing to involve IT or support resources. Where self-service password reset (SSPR) only handles passwords, self-service account recovery (SSAR) encompasses both passwords and MFA resets.
Why Should I Enable Self-Service Account Recovery?
Self-service account recovery is not just a matter of convenience; it's a strategic imperative. IT organizations spend millions annually handling account lockouts, while frustrated employees and managers lose hours or even days of productivity. Moreover, outdated recovery procedures leave the door open for hackers to take over user accounts, leading to data breaches and ransomware attacks.
Traditionally, account recovery involves one of two approaches:
- Assisted account recovery, wherein users have to contact IT or support for help. This creates a substantial burden on the support organization responsible for handling lockouts: according to Gartner, 20-50% of support tickets are just for password resets. Assisted recovery is also vulnerable to social engineering attacks: hackers breached MGM with a 10-minute call to the helpdesk, costing the casino giant over $100 million.
- Self-service account recovery, wherein users reset their own passwords or MFA after verifying themselves. This eases the burden on support, but until Nametag, helpdesks had to use traditional verification methods that are easy for bad actors to exploit.
20-50% of helpdesk tickets are just for password resets, each of which costs your organization $87 (with standard identity verification) to $162+ (with visual verification).
Research shows that 56% of employees reset a password at least once per month. As a result, Gartner found that up to half of all IT helpdesk tickets are just for password resets. Add MFA resets to the picture, and that number is likely even higher. One estimate found it can take anywhere from 20 minutes to 1.5 hours to reset a password and log back in, adding up to tens of hours of lost productivity per employee per year.
In dollars, every password reset costs $87, according to Forrester, and that’s using traditional verification methods. Visual verification via video call, now considered a best practice by Okta, is even more onerous, costing $162 or more per verification. And multi-factor authentication (MFA) reset is more complex still, typically requiring an IT administrator.
[Hear from HubSpot’s CISO why he chose Nametag to automate their users' MFA resets]
For IT directors, adopting an automated account recovery solution can dramatically improve helpdesk efficiency. Being able to offer self-service password and MFA resets eliminates tickets, freeing helpdesk agents to focus on other initiatives.
How Do Traditional Self-Service Password Reset (SSPR) Tools Fall Short?
Traditional self-service password reset (SSPR) tools rely on security questions, one-time passcodes, and authenticator apps to verify users. These methods are very vulnerable to even the most lazy of bad actors:
- Answers to security questions are often available online
- Email accounts can be accessed with stolen credentials
- Authenticator apps can be exploited by push fatigue attacks
- Text messages can be intercepted via SIM swap or trojan
These “traditional” verification methods are also extremely frustrating for users. People often forget their security questions, and sometimes, a passcode just never arrives. If you’re updating your phone’s software, you may not be able to access your authenticator app for a few hours. And if you lose or upgrade your phone, you’ll need to reset your MFA. When you run into these problems, you’re forced to call the helpdesk—defeating the purpose of SSPR.
How to Enable Secure Self-Service Account Recovery
Nametag saw these problems with SSPR offerings, and decided to solve them. Nametag Autopilot is the first secure solution for self-service account recovery (SSAR). It enables employees to securely reset their own passwords and MFA without needing to involve the helpdesk. Easy integrations to Microsoft Entra ID, Okta, Cisco Duo, and OneLogin mean you can get up and running in as little as 10 minutes using our Autopilot Quick-Start Guide.
For end-users, the account recovey experience is fast simple. Verification takes under 30 seconds for first-time users and under 7 seconds for return users. They simply navigate to your Nametag page, enter their work email, and scan the QR code, which launches the Nametag experience on their phone (no app download required).
Next, they scan their passport, driver’s license, or other government-issued photo ID, and take a quick selfie. Nametag supports over 11,000 ID documents from around the world. We validate their ID document and selfie, and make sure they match. Once verified, users can proceed to reset their passwords or MFA tokens, all from within Nametag.
Nametag unveils the world's first secure self-service account recovery solution, Nametag Autopilot. Read our announcement and watch a demo.
Behind the scenes, Nametag leverages a unique combination of mobile cryptography, device telemetry, and proprietary AI models to prevent critical attack vectors such as digital injection attacks and AI-generated deepfakes. Other providers like KYC tools are vulnerable to these attacks because they rely on web browsers, webcams, and document uploads.
Learn More
In the past, IT teams have had to choose security or efficiency. With Nametag, you can have both. We’ve made substantial advancements that allow you to finally enable secure self-service password and MFA resets. Nametag Autopilot can save 30% of your helpdesk costs by deflecting password and MFA reset tickets to self-service, while stopping account takeovers that lead to data breaches and ransomware attacks.
- Read our press release announcing Nametag Autopilot
- Watch a full demo of self-service account recovery with Nametag Autopilot
- Check out our announcement to read why we built Nametag Autopilot, and how it works
Then contact us to get started with self-service account recoveries today!