I was once told that the average cost for a help desk call was something like $20 or $25. That's per call. The exact amount isn't as important as is the meaning behind that number. Each and every time someone calls in for help, you or whoever is sitting at the help desk needs to assist. That assistance costs your company money.

It's of particular issue when most companies treat IT like a cost center, most especially SMB companies. With these, every action by IT creates a cost to the company. Thus, keeping those costs minimized is good for business.

While your exact dollar-per-call amount might be more or less than that analyst's estimate, you certainly recognize the value in reducing help desk calls. Fewer calls means getting more of the real work done, or at least the more interesting work. It means working regular hours instead of working excessive hours.

There's one particular help desk call that's been inordinately painful for years: Forgotten passwords. I call them inordinately painful, because they're such a simple process. Someone forgets their password and needs to enter a new one. The problem is that using Microsoft's built-in tools, you the administrator need to be part of that process. You've got to bring up Active Directory Users and Computers, find their name, reset the password, speak that password to them V-3-R-Y-S-L-0-W-L-Y over the phone, and hope they don't call back again soon.

What you really want is some solution that enables users to change their own passwords. Such a solution would allow a user to help themselves when they've forgotten their dog's name or the sixth variant on their kids' birthdays. Yeesh.

So if a self-service password solution is so globally desired and the problem seems so fantastically easy, why haven't we enjoyed one up until now? In actuality, automating the problem is more difficult than it seems. Security can be a real issue if it's not implemented correctly, or if the solution doesn't have the correct mechanisms in place to protect users and data.

With this in mind, let's talk about what a good self-service password solution might look like.

Password Self-Service: An Architecture

A self-service password solution has to be fairly well thought out. It's not a solution that you'll be whipping up overnight with a few lines of VBScript or PowerShell code. At least, you won't be doing so while maintaining the kind of security that kind of solution really requires.

The first problem has to do with the solution's GUI. If a user is locked out of their account, then they're at the same time locked out of your entire computing infrastructure. They can't 'just bring up Internet Explorer', because Internet Explorer for them is locked behind a now-impassible Control-Alt-Delete screen.

Some password solutions get around this by using a password change kiosk computer. That kiosk computer generally remains logged in with a generic account. It provides a way for locked out users to access a special web site on which they can change their password.

While that design gets the forgetful user past the Control-Alt-Delete prompt, the kiosk method as you can imagine automatically adds its own set of problems. Most security and compliance regulations don't like always-logged-in computers. Even regulation-less SMB companies don't want to spend the cash for a computer, monitor, and desk space that does little more than wait for a forgetful user. No, the kiosk method just isn't a workable solution.

Another option might be for the forgetful user to access the web site through another user's logon. Most users are located near each other, so hopping over to another user's desk to complete the reset should be a quick solution, right? Perhaps, but those same security and other regulations really frown on sharing computing resources for any reason. More to the point, how do you handle users that aren't near other users with this design? If Don the forgetful user is at a coffee shop in Timbuktu, seventeen time zones away from the nearest company computer, he's going to need a long flight to fix his password problem. No, the 'hey buddy, can you spare a computer' idea doesn't work either.

What you really want is a solution that works hand-in-hand with that Control-Alt-Delete prompt. A really workable solution might update the GINA, or Graphical Identification and Authentication DLL, on each user's computer. An updated GINA can be extended to include self-service capabilities. Those capabilities might be exposed at the Control-Alt-Delete prompt itself, or just behind it. With controls right at the user's desktop, they can manage their password problems easily on their own.

A second problem has to do with the secondary authentication required to prove a user is indeed who they say they are. It's the password that proves to me that Don is in fact Don. Without that password, Don has completely lost his ability to assert his identity. Who are you again?

That's why self-service password solutions typically lean on a series of extra questions to validate a user. You've seen these questions before, probably when you've forgotten an online password from your favorite website. What's your mother's maiden name? First car? Favorite movie? Dog's name? A self-service solution needs to ask this series of difficult-to-hack questions to prove a user's identity.

Those same questions and their answers need to be validated. High security environments might require high sensitivity to the exactly-correct answer. Environments with lower security requirements might find some flexibility with answers to be acceptable. 'Toyota Tacoma' versus 'toyota tacoma' (not my first car!) might be acceptable for some, but not others. Since answers to questions are string values and not exact passwords, a good solution will allow you to throttle the sensitivity based on your needs.

A third, huge problem deals with the storage of that secondary data. As you implement a self-service solution, you're suddenly asking users for a large amount of very personal data. You may be asking the same kinds of secondary questions that you'll find on external websites. Your users won't want to give you this data if they suspect it can be used for other more nefarious purposes.

Being information that is specific to that user and their personal lives, the data you collect for your secondary questions must be controlled as personally identifiable information. Doing so adds a level of extra care and due diligence to your management activities. The simple act of storing this data adds risk. You must manage that risk.

It's for all these reasons why a solution you'll want must store that data with ridiculous levels of security. You'll want it encrypted, authenticated, and otherwise kept out of the way of prying eyes if you're to stay out of trouble. As you can imagine, self-service solutions that simply store data in Active Directory might actually harm you more than help in the long run.

Password Self-Service: What you Get

So a self-service password solution really isn't a trivial piece of software. It must be exquisitely secured, but at the same time very accessible so that even unauthenticated users can use it. That's a dichotomy that requires a really good solution. Keep your eyes open for those that fulfill the three problems I suggest above.

Now all this stated, there's another future state that you can guess might benefit you once you get a self-service solution in place. That future state is one where passwords are far less of a problem for users. Imagine with me for a minute what that might look like.

In an environment where a lost or forgotten password isn't a huge problem, users no longer need to concern themselves with 'reminders'. You know the type: The little yellow sticky notes buried in desk drawers, under keyboards, or (in the most egregious of cases) stuck right on the front of monitors. When users won't suffer hours of downtime for forgetting their password, you can dictate eliminating those sticky notes more strictly. Arguably, they might not come out in the first place.

Another feature of self-service is your ability to require passwords that are slightly more complex, or that requires rotation more often. A more complex password is less likely to be hacked, even as it requires more thought on the part of the user. A password that's more-often rotated hinders hacking even farther. When users can create complex passwords knowing they won't be locked out they're less likely to complain and less likely to use their own'ahem''reminders'.

Lastly, what you get is time. Even if your average cost per call isn't $20 or $25 dollars, that cost per call is probably 10 or 15 minutes of your time. That 10 to 15 minutes includes the time to actually complete the call and the password change, as well as the extra time to remember what you were doing before the call came in. Eliminating yet another distraction enables you the SMB IT Pro to focus your attentions on the projects that matter. It also greatly assists you with getting those projects out the door on time, which is a feature that every employer loves.