Blog

Empowering the end user to manage their own passwords (without stickies!). To enable users to reset their own passwords to target systems by first correctly answering a series of challenge/response questions through an application. To enable synchronization of passwords across heterogeneous systems.

Password Management capabilities are accomplished by different technologies. Some provisioning vendors will provide this capability, while others provide it as a standalone application. ESSO (Enterprise Single Sign-On) vendors provide this capability, although typically only to Active Directory.

• Real ROI. According to this article, each call to helpdesk costs the organization $22
• Central place to manage password policy
• Reduce the load on helpdesk by up to 30% 

• After 2 weeks on vacation, a user forgets their password...SSPR!
• An end-user is required to change their Windows password. Changing it changes passwords to all other systems.
• A road warrior is on the road in a hotel, and forgot his/her password. Clicks on the "Forgot my PW" link on the logon screen, and resets the password.
• IVR - Change your password over the phone.

For password management that is bundled with provisioning products, the architecture is very similar to the provisioning architecture. Other components may include a Windows GINA wrapper, and a DLL that sits on Domain Controllers.

Caveats:

Most products perform uni-directional synchronizations, which means that if native password resets in target systems are performed, passwords will get out of sync.