Self-Service Password Reset (SSPR): What You Need to Know

Nametag Team
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Traditional self-service password reset (SSPR) tools used to be a promising solution to overwhelmed IT helpdesks. But it turns out that they add critical vulnerabilities and bring major user experience drawbacks. As a result, many SSPR products can actually undermine your security posture. Here, we delve into these vulnerabilities to understand why Nametag built our secure self-service account recovery (SSAR) solution, Nametag Autopilot.

Why Self-Service Password Reset (SSPR) Is Insecure

Most self-service password reset (SSPR) tools have two problems: user verification, and MFA resets.

When someone tries to reset a password, the system first needs to verify that the user is legitimate. Hackers frequently exploit account recovery procedures for account takeovers, so this step is critical. But most of the verification methods provided by SSPR products are extremely vulnerable to common cyberattacks. They can also be very frustrating, leading users to contact support for help anyway.

This is why identity and access management (IAM) tools like Okta and Microsoft Entra do not offer self-service MFA resets. Simply put, the verification factors used by traditional SSPR platforms are not secure enough to be used in such an extremely high-risk moment. As a result, users are forced to contact the IT helpdesk to reset their MFA manually. 

Insecure Security Questions

Security questions are one of the most common verification methods used by most SSPR products. But the answers to these questions are often static and can be easily guessed or found through social engineering or public information. For instance, common questions about one's childhood pets, address, or parent’s name are frequently available on social media. 

Security questions are so insecure that most organizations have spent years moving away from them, especially for high-risk actions like account recoveries. But SSPR systems often rely on security questions, despite their known vulnerabilities and user experience problems.

One-Time Passcode (OTP) Vulnerabilities

One-time passcodes (OTPs) sent via text message or email are frequently used for identity verification by self-service password reset products. However, these methods have major vulnerabilities that render them inadequate for high-risk actions like password and MFA resets:

  • SMS interception: Attackers can intercept SMS messages through techniques like SIM swapping, wherein an attacker convinces the carrier to switch the victim's phone number to a device they control. Even legitimate users sometimes just never receive their SMS passcodes, leaving them frustrated and forcing them to contact support.
  • Email interception: Email accounts are often only protected by passwords, and over 65% of people reuse passwords across accounts. If an attacker can compromise a person’s email account, they can easily retrieve a passcode sent to that email. 

Frustrating Authenticator Apps

While authenticator applications like Microsoft Authenticator offer a more secure alternative to SMS or email OTPs, they have major drawbacks that must be taken into account. Self-service password reset systems that rely on authenticator apps for user verification create security risks, and frustrated users may end up having to contact support anyway.

  • Push fatigue attacks: Hackers exploit MFA fatigue by bombarding users with authentication prompts, often at awkward times like the middle of the night. Confused, frustrated users hit “accept” just to stop being spammed—thereby approving the attacker’s authentication and granting access to their account.
  • Device loss or change: Users who lose their device, upgrade their phone, or delete their authenticator app can find themselves locked out of their accounts and unable to access the push notification required for account recovery.
  • Technical hurdles: Less tech-savvy users may struggle with setting up and maintaining authenticator apps, leading them to call the helpdesk for assistance.

Self-Service Account Recovery (SSAR)

Nametag employs a multi-faceted approach to identity verification that goes above and beyond traditional authentication methods. Our secure self-service account recovery solution, Nametag Autopilot, leverages a unique combination of mobile cryptography, device telemetry, facial biometrics and proprietary AI models to shut down critical attack vectors like injection attacks. Moreover, our unique ability to adapt to changes such as device switches or name changes represents a significant improvement in user experience.

Read the press release announcing Nametag Autopilot, then contact us to get started with self-service account recoveries today.

Secure your helpdesk against social engineering and impersonators.
Accept All Cookies