Plan your Password Reset processes

To ensure security and efficiency, take the time to plan your Password Reset implementation.

Before you begin

Role required: password_reset_admin or admin

Procedure

  1. Decide on the password reset process:
    • Self-service process: Users reset their password over the Internet using a browser on any supported interface, including mobile devices. To make the Password Reset application with Orchestration available to all users publicly, create a new Password Reset process only for this purpose and make it accessible to all users by setting the Public access property.
    • Service desk-assisted process: Users reset passwords by requesting the assistance of a service desk agent, over the phone or in person. Only service desk agents with the password_reset_service_desk role can reset user passwords. Watch the videos: Resetting User Passwords (Video) and How to Set Up a Service Desk-Assisted Password Reset Process (Video).
  2. Understand how groups and roles differ in their access and security needs.
    Analyze and assess how members of each group in your organization access the system. For example, if members of the sales group primarily access the system remotely, consider using a stronger method or multiple methods to verify the identity of each user.

    Identify user roles that have access to critical information and resources. For example, stronger verifications might be required for roles that have access to employee data, accounting information, or network configurations.

    Based on your analysis of groups and roles, determine the number and variety of verifications needed for the different Password Reset processes.
  3. Consider how to manage credentials.
    Determine whether single sign-on is enabled with the type of directory service or other credential store used. If the directory service is configured for single sign-on, consider increasing the level of security by using multiple methods to verify identity of a user. A compromised user name and password can easily allow access to associated systems in a single sign-on environment.
  4. Consider how to implement enrollment in the Password Reset program.
    For example, will enrollment be optional or required? Will users be auto-enrolled? How will users be notified to enroll in the program? The answers to these questions will help you determine the appropriate verification types to use.
  5. Consider which Password Reset options to offer to users.
    • If your organization uses single sign-on, how will users reset their password if they are unable to log on?
    • What options are available to users working off-site?