PeoplePassword, Web Active Directory’s self-service password reset solution, allows you to urge or suggest that users to enroll in the system.  One technique is to use the solution to send users emails with some frequency either related to an impending password expiration or not.  Sometimes compelling users to take action isn’t enough.  Forcing enrollment in a self-service password reset solution such as PeoplePassword is also possible.

Importance of Enrollment in Self-Service Password Reset

If your organization has a self-service password reset solution, enrollment is essential.  Enabling your users to change their password frequently is vital for security reasons.  Empowering users to reset their password securely without the need to call the help desk will help with both security and represents real cost savings to IT.  With enrollment in PeoplePassword, you can capture other information from your users like their alternate email addresses and/or mobile phone number to use these in multi-factor authentication with emails and/or SMS messages.  (Not only SMS messages; you can have more secure messages sent to their phone as well.)  On another practical level, if you’ve purchased a solution, there were good reasons and you want people to use it.

Force Enrollment in Password Management Solution

Forcing enrollment in a solution like PeoplePassword is possible.  Forcing enrollment implies that you make your user temporarily helpless to continue to be productive until they enroll.  The main lever you have to render them helpless is to make it so they can’t login to their account.  Unfortunately, this can lead to a “chicken and egg” problem.  If they can’t authenticate, how can they securely enroll?  You don’t want any unauthenticated user on the internet to be able to enroll in your self-service password reset solution.

PeoplePassword allows a way around this problem.  If you have some known data about your users that’s fairly secure– maybe a combination of something like their date of birth, the start date of their employment, and their employee ID you can import this data into PeoplePassword.  Next, you can reset your user’s passwords to random secure values that they don’t know.  This action is the part where you are forcing their hand.

When they can’t login, the user is directed to PeoplePassword to reset their password.  PeoplePassword will then ask them to initially identify themselves by answering the questions that you imported earlier.  PeoplePassword can make your users finish enrollment before they can reset their password.  At that point, you might have them answer more questions (more secure and personal), answer a number of questions they can select from a list, provide a mobile phone, alternate email, etc.  Then they can reset their password and log in happily.  Resetting their password the next time will require them to jump through all of the requisite hoops you require for them.

In this way, you can force users to enroll.  The key is having some data about them that will uniquely identify them initially.