Is self-service password reset secure: what you need to know and how to do it right
Considering that 20% to 50% of all IT helpdesk tickets each year are for password resets according to the Gartner Group, and that they consume 31% to 40% of your team’s time, you probably feel that all you do is reset passwords! This is why you are probably looking into solutions that would enable you to minimize these requests to the absolutely inevitable ones.
When it comes to password resetting, many companies are turning to self-service password reset systems to ensure the security of their data. Not only do these solutions save costs and increase efficiency, but also implementing them correctly is vital to the security of the enterprise.
## However, you are wondering, is self-service password reset secure?
To answer this, let’s first take a look at how such a system works.
A password reset process usually entails either a link clicked on by the user that then brings them to a password reset page, or a self-service password reset portal page online. As a first step, the user has to authenticate themselves. Several authentication measures can be used to ensure that the user requesting the password reset is the same user who is trying to access the account:
1. Security questions
3. Mobile app notification
4. Mobile app code
The first recovery type is activated by identity-based questions, such as "What is your main email address?". The problem is that this data is accessible on the internet. Email addresses, mother's maiden names, and personal details can often be found on third-party websites or on social media networks, thereby making it easy for hackers to access this data if they desire. Even if this data isn't accessible, it can be acquired through social engineering, making this solution vulnerable.
The email recovery process usually involves sending a link via email which the employee has to click to reset their password. It could be said that email addresses are secure since an intruder would have to break into the email service to receive a password reset notification. However, email accounts can be targeted by the usual password attacks, like phishing, credential stuffing and other automated brute-force attempts. Since email accounts are usually the go-to choice for resetting passwords in self-service systems, they are a key target for anyone wanting to gain unauthorized access to a system.
The last 2 options which make use of the employee’s mobile phone might seem completely secure. However, besides the fact that the user would need to have the relevant app installed on their phone (which may not always be the case), the password recovery web page that the employee initially visits to launch the process could be spoofed. Using this vulnerability, an attacker could force a password reset by locking a user’s account through a brute force login attack on the service. The user can then be lured to the fake password reset site, and if they fall for the ruse, their account could be compromised.
## Although extremely helpful and fast, self-service solutions are not 100% secure
Which is why more and more companies are adopting password recovery flows with a defense-in-depth approach, where the employee should authenticate themselves with security questions AND a second possession factor such as [Okta Verify](https://www.okta.com/integrations/okta-verify/). This way, an attacker would need access to something the employee has, as well as something the employee knows, before they can compromise their account.
Another solution is to constrain the password reset functionality to users logged onto the corporate network – of course, in a hybrid work world, this solution is far from optimal, frustrating for remote users and still putting a great burden of password resets on your IT team.
## Reset passwords instantly and 100% securely with Gaspar AI
If you are looking for a completely secure and lightning-fast solution to your password reset requests, Gaspar AI's platform is the answer. It offers instant and automatic password reset to any user requesting it, without your IT team’s involvement. The employees get a new password in seconds, thus minimizing their unproductive time, and your team continues to work undisturbed. Sounds too good to be true? Let’s see how this magic happens.
The employee notifies Gaspar, our conversational AI chatbot on Slack or Microsoft Teams (depending which chat platform your company uses), that they have forgotten their password. Then, the AI-powered password reset process starts. They are automatically authenticated without having to answer any questions, click email links or enter 6-digit codes, thanks to our multiple integrations with [Office 365](https://www.office.com/), [Google Workspace](https://workspace.google.com/business/?utm_source=google&utm_medium=cpc&utm_campaign=emea-gr-all-en-dr-bkws-all-hv-trial-e-t4-1011339&utm_content=text-ad-none-none-DEV_c-CRE_566128168997-ADGP_Hybrid%20%7C%20BKWS%20-%20EXA%20%7C%20Txt%20~%20Apps%20~%20Apps%20for%20Work-KWID_43700067907250321-kwd-74314167827-userloc_9061578&utm_term=KW_google%20apps%20for%20work-ST_google%20apps%20for%20work&gclid=CjwKCAiAuOieBhAIEiwAgjCvcje9ISGAmvTBY1QW2rsrko6EsOXHtusdv9rv1Ng9dE07C9gPDLKIsRoCxHgQAvD_BwE&gclsrc=aw.ds) and other user authentication systems. Therefore, they receive a new password aligned with the company’s systems’ requirements that they can either keep or change during their next login. In just a few seconds, they have their issue resolved, and your IT team does not even have to know about it! A ticket that logs the issue is automatically created on Slack or Teams and then synced to your ITSM platform for your records – no need to do this manually.
If you feel that you want to add an extra layer of control over password resets, then Gaspar AI still has you covered for airtight security. On the admin portal, you can set a password change approval requirement. In this case, the IT team or employee’s manager (depending on who you choose to review the password reset) would have to approve the change before the password can be modified. Again, this will be done directly on Slack or Teams: they would just receive a request to approve or decline the employee’s password change.
## Enjoy security to the maximum and password reset requests to the minimum
Overall, Gaspar AI’s self-service password reset is designed with security in mind and can be the most secure and efficient way for companies to reset passwords. Our self-service password reset is the most reliable way to keep accounts secure and minimize the related employee requests, increasing productivity for all teams and reducing the helpdesk cost per ticket.
If you would like to learn more, let's [schedule a demo](https://www.gaspar.ai/demo-request) with our team.