Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password resets in enterprise IAM: what is your team doing now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Password resets remain a major enterprise friction point, with analyst estimates often putting 20% to 50% of help desk calls in this category and each manual reset taking 10 to 20 minutes, according to Bravura Security. The real issue is not convenience but identity governance, because weak reset processes create audit gaps and social-engineering openings.

NHIMG editorial — based on content published by Bravura Security: Password reset breakdowns expose the real enterprise IAM gap

By the numbers:

Questions worth separating out

Q: How should security teams reduce password reset risk in large enterprises?

A: Security teams should make password recovery a governed identity workflow, not a help desk exception.

Q: Why do manual password resets create security risk?

A: Manual resets create risk because they depend on humans, are hard to scale, and often rely on inconsistent verification.

Q: How do organisations know if password reset controls are working?

A: Look for fewer repeat lockouts, shorter recovery times, complete audit records, and lower use of manual overrides.

Practitioner guidance

  • Map reset flows as identity events Document every recovery path, including self-service, help desk, and exception handling, then assign control owners, approval points, and logging requirements to each step.
  • Enforce MFA before any reset is issued Require strong verification before password recovery, and block fallback methods that can be socially engineered or reused across systems.
  • Centralise reset audit evidence Store reset timestamps, identity proofing results, and administrator overrides in a single log stream so audit and incident teams can reconstruct activity quickly.

What's in the full article

Bravura Security's full article covers the operational detail this post intentionally leaves for the source:

  • A customer example showing how automated password reset reduced help desk demand and improved user experience.
  • A practical list of reset process bottlenecks that teams can audit before changing tooling.
  • A summary of features the vendor says matter in self-service password management, including logging and policy enforcement.
  • The vendor's own FAQ section on reset failures, compliance gaps, and support ticket reduction.

👉 Read Bravura Security's analysis of enterprise password reset breakdowns →

Password resets in enterprise IAM: what is your team doing now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Reset friction is a human identity governance failure, not an inconvenience metric. When organisations force users into slow or confusing recovery paths, they create the exact behaviours attackers rely on: reused passwords, credential sharing, and help desk social engineering. The control gap is not simply poor user experience. It is the absence of a reset process that preserves identity assurance under pressure. Practitioners should treat password recovery as part of access governance, not as a side workflow.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when password recovery fails an audit?

A: Accountability usually sits across IAM, security operations, and service desk ownership because password recovery spans identity policy and operational execution. If a reset cannot be traced, the organisation has an evidence gap as well as a control gap. Audit teams should require a named owner for the recovery workflow.

👉 Read our full editorial: Password reset breakdowns expose the real enterprise IAM gap



   
ReplyQuote
Share: