Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password resets and IAM friction: what identity teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Frequent password resets drive helpdesk load, productivity loss, and security risk, with Gartner estimating 20 to 50% of IT tickets and Forrester placing the average reset cost at about $70 per event. The broader issue is that reset-heavy environments still depend on fragile human authentication patterns that modern identity governance should reduce, not absorb.

NHIMG editorial — based on content published by Efecte: Die versteckten Kosten von Passwort-Zurücksetzungen

By the numbers:

Questions worth separating out

Q: How should security teams reduce password reset volume without weakening account security?

A: Start by identifying which resets are caused by policy, which by user error, and which by missing self-service.

Q: Why do frequent password resets increase security risk?

A: Frequent resets increase risk because they encourage weak user behaviour such as password reuse, predictable patterns, and reliance on fallback channels.

Q: What signals show that password reset processes are failing?

A: Look for persistent helpdesk demand, repeat requests from the same users, long handling times, and rising use of manual exceptions.

Practitioner guidance

  • Measure reset demand by identity segment Break down password reset volume by employee group, device type, location, and privileged access tier so you can see where the highest friction is concentrated.
  • Move routine recovery to verified self-service Replace manual reset handling with self-service flows that require strong identity verification and policy checks before access is restored.
  • Treat recovery as part of MFA design Use multi-factor authentication or an equivalent step-up control on the recovery path itself, not only at initial sign-in.

What's in the full article

Efecte's full article covers the operational detail this post intentionally leaves for the source:

  • The exact support and productivity cost framing behind password reset volume, including the assumptions used to estimate per-reset expense.
  • The vendor's self-service reset and MFA workflow considerations for hybrid environments, including how it ties to helpdesk reduction.
  • The article's GDPR and deployment-model context for European organisations that need to align reset handling with local compliance and hosting choices.

👉 Read Efecte's analysis of the hidden cost of password resets →

Password resets and IAM friction: what identity teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Password reset volume is an authentication governance problem, not a support inconvenience. When helpdesk queues absorb a large share of identity work, the organisation is revealing that its access recovery model is too dependent on manual validation. That pattern weakens both productivity and assurance because the same weak workflow is repeated at scale. Practitioners should read high reset volume as a sign that identity design is compensating for poor authentication ergonomics.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Which frameworks are relevant to improving password reset governance?

A: NIST SP 800-63 Digital Identity Guidelines are directly relevant because they address assurance in identity proofing, authentication, and recovery. For IAM teams, the practical test is whether the reset path preserves the same level of trust as the sign-in path, or quietly lowers it.

👉 Read our full editorial: Password resets expose the real cost of weak identity governance



   
ReplyQuote
Share: