Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password resets: what they mean for IAM teams and security


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Password resets account for 20% to 50% of IT support tickets, cost about $70 each, and can consume four hours a week for IT teams, according to Gartner, Forrester, and EMA. The real issue is that recovery workflows remain a high-friction identity control that degrades productivity while exposing organisations to password reuse and credential theft.

NHIMG editorial — based on content published by Efecte: Salasanojen palautusten näkymätön kuormitus

Questions worth separating out

Q: How should security teams reduce password reset volume without weakening access control?

A: Start by identifying which applications, user groups, and recovery methods generate the most resets.

Q: Why do password resets remain a security concern in mature IAM programmes?

A: Because recovery is often the easiest way around a well-designed login flow.

Q: What do organisations get wrong about password recovery and helpdesk support?

A: They often treat recovery as an operational nuisance instead of a control surface.

Practitioner guidance

  • Measure reset volume as an identity risk indicator Track password reset tickets by application, user group, and recovery method so you can see where identity assurance is degrading.
  • Replace knowledge-based recovery with stronger verification Remove recovery paths that rely on guessable questions, email-only confirmation, or inconsistent manual checks.
  • Separate low-risk self-service from exception handling Allow routine self-service recovery for standard cases, but route privileged users, unusual device contexts, and repeated failures into a higher-assurance review path.

What's in the full article

Efecte's full article covers the operational detail this post intentionally leaves for the source:

  • The article breaks down the ticket-volume and productivity impact behind password resets in more operational detail.
  • It explains how helpdesk workflows, directory services, and authentication steps combine to create the service burden.
  • It shows how password reset handling affects employee experience in hybrid work environments.
  • It outlines Matrix42's IGA-oriented self-service approach for organisations evaluating automation options.

👉 Read Efecte's article on the hidden cost of password resets →

Password resets: what they mean for IAM teams and security?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Password reset is a governance control, not a convenience feature. The article is right to frame resets as an operational burden, but the deeper issue is that every recovery flow defines who can re-enter the identity perimeter without starting from zero. In human IAM, that makes reset design part of assurance, auditability, and fraud resistance. Organisations that treat it as a service desk routine are underestimating its role in identity trust.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.

A question worth separating out:

Q: How do teams know whether password recovery is actually working well?

A: Look for fewer tickets, lower repeat-reset rates, shorter time to regain access, and fewer helpdesk escalations for standard users. If recovery is efficient but users still create weak passwords or support keeps re-verifying the same people, the process is not healthy.

👉 Read our full editorial: Password reset burden is a hidden IAM cost and risk driver



   
ReplyQuote
Share: