December 8, 2024

Self-Service Password Reset (SSPR): Pitfalls to Avoid

by
Nametag Team
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Five stars in a line
Learn how

Self-service password reset (SSPR) can be a good way to ease the burden on overwhelmed IT and support teams. But many SSPR tools add critical security vulnerabilities and user experience drawbacks. As a result, SSPR can actually undermine your security posture if implemented improperly.

When someone tries to reset a password, the system first needs to verify that the user is legitimate. Hackers frequently exploit account recovery procedures for account takeovers, so this step is critical. But most of the verification methods provided by SSPR products are extremely vulnerable to common cyberattacks. They can also be very frustrating, leading users to contact support for help anyway.

This is why identity and access management (IAM) tools like Okta and Microsoft Entra do not offer self-service MFA resets. Simply put, the verification factors used by traditional SSPR platforms are not secure enough to be used in such an extremely high-risk moment. As a result, users are forced to contact the IT helpdesk to reset their MFA manually. 

See a secure solution for self-service password resets (SSPR)

Insecure Security Questions

Security questions are one of the most common verification methods used by most SSPR products. But the answers to these questions are often static and can be easily guessed or found through social engineering or public information. For instance, common questions about one's childhood pets, address, or parent’s name are frequently available on social media. 

Security questions are so insecure that most organizations have spent years moving away from them, especially for high-risk actions like account recoveries. But SSPR systems often rely on security questions, despite their known vulnerabilities and user experience problems.

One-Time Passcode (OTP) Interception

One-time passcodes (OTPs) sent via text message or email are frequently used for identity verification by self-service password reset products. However, these methods have major vulnerabilities that render them inadequate for high-risk actions like password and MFA resets:

  • SMS interception: Attackers can intercept SMS messages through techniques like SIM swapping, wherein an attacker convinces the carrier to switch the victim's phone number to a device they control. Even legitimate users sometimes just never receive their SMS passcodes, leaving them frustrated and forcing them to contact support.
  • Email interception: Email accounts are often only protected by passwords, and over 65% of people reuse passwords across accounts. If an attacker can compromise a person’s email account, they can easily retrieve a passcode sent to that email. 

Unreliable Authenticator Apps

While authenticator applications like Microsoft Authenticator offer a more secure alternative to SMS or email OTPs, they have major drawbacks that must be taken into account. Self-service password reset systems that rely on authenticator apps for user verification create security risks, and frustrated users may end up having to contact support anyway.

  • Push fatigue attacks: Hackers exploit MFA fatigue by bombarding users with authentication prompts, often at awkward times like the middle of the night. Confused, frustrated users hit “accept” just to stop being spammed—thereby approving the attacker’s authentication and granting access to their account.
  • Device loss or change: Users who lose their device, upgrade their phone, or delete their authenticator app can find themselves locked out of their accounts and unable to access the push notification required for account recovery.
  • Technical hurdles: Less tech-savvy users may struggle with setting up and maintaining authenticator apps, leading them to call the helpdesk for assistance.

Secure SSPR with Nametag

Nametag employs a multi-faceted approach to user authentication that goes far above and beyond traditional methods. Our self-service password reset solution, Nametag Autopilot, is built on Deepfake Defense identity verification. Deepfake Defense leverages a unique combination of cryptography, biometrics and AI to verify legitimate users in seconds while preventing advanced impersonation attacks that beat other verification factors and IDV tools. Returning users benefit from express re-verification, and a seamless transition between devices if they lose or upgrade their phone.

Learn more about secure self-service password reset with Nametag.
Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies