As long as passwords are used, employees will forget them. For many IT support functions, resetting user passwords is a time-consuming and repetitive burden on resources.
Two years ago, at global logistics provider TNT, the burden had become too great. With 32,000 IT users around the world, the company's IT helpdesks were inundated with password resets requests.
"We were getting a lot of complaints from helpdesk managers about the number of password resets their staff had to do," recalls Mark Lawley, identity management infrastructure team leader at TNT. "One of our divisions, the Benelux unit, worked out that password resets took up the equivalent of one whole employee's time."
The company did not know precisely how many requests were made – it was often easier for helpdesk staff just to perform the reset without logging the issue in its IT service management systems – but it knew it was too many.
And it was not just a workload problem. Resetting passwords over the phone is not the most secure approach, and it left open a window for potential compliance violations. "If a van driver hasn't turned up and someone else needs to access their system, the easiest way is to phone up the helpdesk and pretend to be them."
TNT decided, therefore, to support self-service password resets using CA Technologies' Identity Minder software. The tool integrates with IT systems and applications to access user account and password information, and allows users to reset their own passwords from a portal on their own desktop.
The implementation began in 2010, and over the last two years TNT has been rolling out the system across it many geographies. By the time it had been deployed in all but a few countries, Lawley and his team found that the system was support 2,500 password resets a week.
That, Lawley and his team calculated, translates to huge monetary saving for the company. "We had estimated that each password reset cost us about £10 in [IT support] time, lost business productivity, and the technology to support it," Lawley explains. "We also estimate that each self-service reset costs around 85% less.
"So when you multiply that 2,500 a week figure by 52 weeks for each year, we're saving just over £1 million," he says.
This is more than Lawley anticipated, and means that the system had "pretty much" paid for itself after a year of full deployment.
Technically speaking, the system has not been difficult to deploy so far. Identity Minder hooks into applications through what CA calls a 'Java connector', and TNT has linked it in with all of the applications for which there are "out of the box" connectors.
"That leaves us with applications that we built ourselves, and we are looking to see whether we need to use TNT's own Java programmers or use CA services to integrate them," he says.
But the success of the system also relied heavily on encouraging employees to use it. "The key to this project was getting user engagement," says Lawley.
Lawley and his team therefore collaborated with business users around the world throughout the development of the system. "We wanted the business to see the look and feel of what we were building," he explains. "We showed them the system and used their feedback on the user interface, for example."
"It was also important to get support from our [local IT staff] because they were going to have to sell the solution to users," he says. "If they weren't engaged and felt it was too difficult to use, they wouldn't have encourage users to adopt it."
The system allows users to reset their passwords once they are logged into their desktop. Of course, users might also forget their desktop passwords, so TNT used the Graphical Identification and Authentication (GINA) functionality of Microsoft's Windows operating system to install a pre-login password reset function based on memorable information questions.
That required employees to provide the answer to one of six questions (e.g. "What is your mother's maiden name?"), for which they needed some encouragement. "The various business units handled that in different ways," explains Lawley. "Some of them had competitions, giving employees USB keys for completing the answers. Others went the other way, and asked us for a list of users who hadn't done it."
With employees in over 40 countries, the challenge of identifying six questions that were culturally relevant for every one was not trivial. Nevertheless, TNT stuck to just six, as the chance that users might forget which question they answered could have lead to yet more password reset requests.
TNT is now implementing out Identity Manager's user provisioning features, as well as 'single-sign on' functionality based on CA's Site Minder product. This, Lawley admits, may make self-service password resets redundant for many systems, but with such a rapid return-on-investment, deploying the functionality was valuable way to start its password security management refresh.