TL;DR: Password resets remain a major enterprise friction point, with analyst estimates often putting 20% to 50% of help desk calls in this category and each manual reset taking 10 to 20 minutes, according to Bravura Security. The real issue is not convenience but identity governance, because weak reset processes create audit gaps and social-engineering openings.
NHIMG editorial — based on content published by Bravura Security: Password reset breakdowns expose the real enterprise IAM gap
By the numbers:
- A global financial services firm reduced helpdesk calls by 25% after implementing automated password reset.
Questions worth separating out
Q: How should security teams reduce password reset risk in large enterprises?
A: Security teams should make password recovery a governed identity workflow, not a help desk exception.
Q: Why do manual password resets create security risk?
A: Manual resets create risk because they depend on humans, are hard to scale, and often rely on inconsistent verification.
Q: How do organisations know if password reset controls are working?
A: Look for fewer repeat lockouts, shorter recovery times, complete audit records, and lower use of manual overrides.
Practitioner guidance
- Map reset flows as identity events Document every recovery path, including self-service, help desk, and exception handling, then assign control owners, approval points, and logging requirements to each step.
- Enforce MFA before any reset is issued Require strong verification before password recovery, and block fallback methods that can be socially engineered or reused across systems.
- Centralise reset audit evidence Store reset timestamps, identity proofing results, and administrator overrides in a single log stream so audit and incident teams can reconstruct activity quickly.
What's in the full article
Bravura Security's full article covers the operational detail this post intentionally leaves for the source:
- A customer example showing how automated password reset reduced help desk demand and improved user experience.
- A practical list of reset process bottlenecks that teams can audit before changing tooling.
- A summary of features the vendor says matter in self-service password management, including logging and policy enforcement.
- The vendor's own FAQ section on reset failures, compliance gaps, and support ticket reduction.
👉 Read Bravura Security's analysis of enterprise password reset breakdowns →
Password resets in enterprise IAM: what is your team doing now?
Explore further
Reset friction is a human identity governance failure, not an inconvenience metric. When organisations force users into slow or confusing recovery paths, they create the exact behaviours attackers rely on: reused passwords, credential sharing, and help desk social engineering. The control gap is not simply poor user experience. It is the absence of a reset process that preserves identity assurance under pressure. Practitioners should treat password recovery as part of access governance, not as a side workflow.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is why access governance cannot stop at primary login controls.
A question worth separating out:
Q: Who is accountable when password recovery fails an audit?
A: Accountability usually sits across IAM, security operations, and service desk ownership because password recovery spans identity policy and operational execution. If a reset cannot be traced, the organisation has an evidence gap as well as a control gap. Audit teams should require a named owner for the recovery workflow.
👉 Read our full editorial: Password reset breakdowns expose the real enterprise IAM gap