Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password resets and IAM friction: what teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Password resets account for 20% to 50% of IT help desk tickets and can cost about $70 each, according to Gartner and Forrester cited in the source article. The real issue is not the reset itself but the authentication and recovery model that keeps people and support teams trapped in avoidable friction.

NHIMG editorial — based on content published by Efecte: The Hidden Drains of Password Resets

By the numbers:

Questions worth separating out

Q: How should security teams reduce password reset burden without weakening access assurance?

A: Security teams should move to self-service recovery only when it is backed by strong verification, policy enforcement, and auditability.

Q: Why do frequent password resets increase credential risk?

A: Frequent resets often push users toward reuse, simplification, and other unsafe habits because the secure path feels too costly.

Q: What signals show that password recovery is failing as a governance control?

A: High ticket volume, repeated resets for the same users, inconsistent verification steps, and rising support dependence all indicate a weak recovery model.

Practitioner guidance

  • Strengthen recovery verification Require step-up verification for every reset path so the secure recovery route is easier than relying on manual help desk intervention.
  • Measure reset volume as a control signal Track reset tickets by user population, application, and access method to identify which authentication flows are generating the most friction.
  • Reduce dependence on weak password habits Pair password policy with controls that discourage reuse, simplify legitimate recovery, and remove incentives for unsafe user behaviour.

What's in the full article

Efecte's full article covers the operational detail this post intentionally leaves for the source:

  • How the vendor frames self-service password reset across hybrid environments and why that model reduces support dependence.
  • The implementation logic behind integrating reset workflows with authentication policy and multi-factor verification.
  • The article's discussion of user-experience trade-offs when shifting from manual support to automated recovery.
  • The European deployment and privacy framing that accompanies the vendor's IGA positioning.

👉 Read Efecte's analysis of the hidden cost of password resets →

Password resets and IAM friction: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Password reset overload is a governance signal, not just a service metric. When 20% to 50% of help desk tickets are resets, the identity programme is telling you that recovery has become a core access dependency rather than an edge case. That should trigger a review of authentication design, recovery assurance, and the amount of manual mediation still embedded in human IAM. The practitioner conclusion is simple: high reset volume is evidence of structural identity friction.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Who is accountable when password reset processes enable account compromise?

A: IAM leadership, security operations, and the service owners of the affected applications all share accountability because reset design sits across authentication, support, and policy enforcement. If the recovery process can be abused, the control failure is organisational, not just technical. Good governance assigns ownership to the full identity path, including recovery and audit.

👉 Read our full editorial: Password resets expose the hidden cost of weak IAM design



   
ReplyQuote
Share: