The ability to reset one's own password for business email may not seem that important for your organization's cyber security and budget, but it actually matters more than you think. After all, resetting your own password isn't a new thing. Almost any website that requires you to log in with a username and password also gives you the opportunity to reset your password without having to call or email into a support desk. Even though it has been around for a few years now, Self Service Password Reset was not always a feature in Office 365 and that could be the reason why so few organizations know about or utilize it. I spoke with Steve Cornell, our Service Desk Manager, about Self Service Password Reset in our livestream on 4/24. You can watch the recorded version on the left (don't forget to like and subscribe!). During this livestream, Steve and I discussed the many benefits of using SSPR and gave a quick walkthrough of the initial setup. Even though this is enabled by default for our clients, unless end-users complete the process shown in the video, then they will not be able to reset their own password. So, if you are an admin reading this, make sure your users follow through. Why bother? Well, password reset requests account for 20% of all IT organizations' support calls. Not only that, but it also leads to an improved end-user experience because users no longer have to wait for the Support Desk to get back to them. So instead of being locked out of their accounts for a few hours or even days, end-users have the power to get back into their account without delay. As for the security side of things, SSPR takes the guess work out of authenticating the person on the other end of the phone. As we've discussed in previous blog posts, phishing is more prevelent than ever and attacks are getting increasingly more sophisticated. It only takes one misjudgement from the support desk engineer to compromise an account and possibly the entire organization. By factoring out the risk of human error and replacing it with SSPR authentication options, the security of the entire organization increases. The admin doesn't have to give up any control either; he or she still dictates the policy. From which authenticated methods are used to how many validations are required, the system is designed to let only the right person in. Speaking of authentication methods, there are currently four options to choose from:
- Send a text message to a validated mobile phone.
- Make a phone call to a validated mobile or office phone.
- Send an email to a validated secondary email account.
- Answer their security questions.
If you are an end-user and don't see one of these options when you go to reset your password, it's because your admin has not enabled it. I should also note that right after our livestream completed, a viewer wrote to us and said their SSPR was not working. After investigating we found the viewer's organization is using their on-premise Active Directory and not Azure Active Directory. If you don't know what any of that means, don't worry. It just means their passwords are not controlled in Office 365 and therefore SSPR does not work for them (actually we could upgrade their licenses and enable a password-writeback policy, but that's a completely different blog post altogether). For most organizations though, SSPR will work as intended.