What is Self-Service Password Reset (SSPR)?
Self-service password reset (SSPR) is a category of products that allow people to reset their own passwords for their online accounts. Instead of having to contact IT or customer support to reset their password for them, SSPR lets user do it on their own. Self-service password reset (SSPR) saves time and money for organizations, and improves experiences for users.
How SSPR Works
It's all in the name: self-service password reset works by giving users a workflow through which they can reset their own password. SSPR is most relevant in the context of Identity & Access Management (IAM), wherein a single identity provider is used to access multiple online accounts.
Standard SSPR workflow:
- Initiate reset
- Verify identity
- Reset password
SSPR workflows can be fast and simple or more complex, depending on the systems involved and level of security required. Generally speaking, a more complex SSPR flow is usually more secure. However, as we explain further down, not all security factors are equally secure.
How to Enable SSPR
Most major identity providers (Okta, Microsoft Entra, Cisco Duo, etc.) offer some form of self-service password reset capability. In all cases, a system administrator must set up the SSPR workflows using their admin console.
Different IAM platforms offer different security measures to protect the password reset process. Okta, for example, offers Reset Via Email and Reset via SMS as default options. Microsoft's default verification options are mobile app notifications/mobile app codes, email verification, and mobile phone verification. It's worth noting that all of these verification factors are vulnerable to common cyberattacks and can be extremely frustrating for users due to their inflexibility.
Learn more:
The Hidden Danger of SSPR Authentication
SSPR can be a good way to ease the burden on overwhelmed IT and support teams. But many SSPR tools add critical security vulnerabilities and user experience drawbacks. As a result, SSPR products can actually undermine your security posture if implemented improperly.
SSPR vulnerabilities come down to two problems: user verification, and MFA resets.
This is why identity and access management (IAM) tools like Okta and Microsoft Entra do not offer self-service MFA resets. Simply put, the verification factors used by traditional SSPR platforms are not secure enough to be used in such an extremely high-risk moment. As a result, users are forced to contact the IT helpdesk to reset their MFA manually.
See a secure solution for self-service password resets (SSPR)
When someone tries to reset a password, the system first needs to verify that the user is legitimate. Hackers frequently exploit account recovery procedures for account takeovers, so this step is critical. But most of the verification methods provided by SSPR products are extremely vulnerable to common cyberattacks. They can also be very frustrating, leading users to contact support for help anyway.
Insecure Security Questions
Security questions are one of the most common verification methods used by most SSPR products. But the answers to these questions are often static and can be easily guessed or found through social engineering or public information. For instance, common questions about one's childhood pets, address, or parent’s name are frequently available on social media.
Security questions are so insecure that most organizations have spent years moving away from them, especially for high-risk actions like account recoveries. But SSPR systems often rely on security questions, despite their known vulnerabilities and user experience problems.
One-Time Passcode (OTP) Interception
One-time passcodes (OTPs) sent via text message or email are frequently used for identity verification by self-service password reset products. However, these methods have major vulnerabilities that render them inadequate for high-risk actions like password and MFA resets:
- SMS interception: Attackers can intercept SMS messages through techniques like SIM swapping, wherein an attacker convinces the carrier to switch the victim's phone number to a device they control. Even legitimate users sometimes just never receive their SMS passcodes, leaving them frustrated and forcing them to contact support.
- Email interception: Email accounts are often only protected by passwords, and over 65% of people reuse passwords across accounts. If an attacker can compromise a person’s email account, they can easily retrieve a passcode sent to that email.
Unreliable Authenticator Apps
While authenticator applications like Microsoft Authenticator offer a more secure alternative to SMS or email OTPs, they have major drawbacks that must be taken into account. Self-service password reset systems that rely on authenticator apps for user verification create security risks, and frustrated users may end up having to contact support anyway.
- Push fatigue attacks: Hackers exploit MFA fatigue by bombarding users with authentication prompts, often at awkward times like the middle of the night. Confused, frustrated users hit “accept” just to stop being spammed—thereby approving the attacker’s authentication and granting access to their account.
- Device loss or change: Users who lose their device, upgrade their phone, or delete their authenticator app can find themselves locked out of their accounts and unable to access the push notification required for account recovery.
- Technical hurdles: Less tech-savvy users may struggle with setting up and maintaining authenticator apps, leading them to call the helpdesk for assistance.
Secure SSPR with Nametag
Nametag employs a multi-faceted approach to identity verification that goes above and beyond traditional authentication methods. Our secure self-service password reset solution, Nametag Autopilot, leverages a unique combination of cryptography, biometrics and AI to prevent the use of AI-generated deepakes. Moreover, our unique ability to adapt to changes such as device switches or name changes represents a significant improvement in user experience.
