Notifications
Clear all
Topic starter
25/06/2026 10:42 pm
TL;DR: Password resets and authentication issues can account for 10-50% of help desk calls, and 20-40% of those calls could be avoided with self-service capabilities, according to Gartner. That makes password recovery a cost, productivity, and governance problem, not just a support issue, and passwordless adoption is the structural answer.
NHIMG editorial — based on content published by Imprivata: Password resets drain IT budgets and waste employee time
By the numbers:
- Password resets and authentication issues can account for 10-50% of help desk calls.
- 20-40% of those calls could be avoided with self-service functionalities.
Questions worth separating out
Q: How should security teams reduce the cost of password resets without weakening access control?
A: They should move recovery into a governed self-service flow that uses MFA, device trust, and audit logging before any password is reset.
Q: Why do password-related requests stay expensive even when organisations tighten password policies?
A: Because stricter password rules often create more friction, which increases lockouts, user workarounds, and support demand.
Q: What should IAM teams measure to know whether self-service reset is actually helping?
A: They should measure reset volume, lockout frequency, mean time spent on recovery, and the share of support calls tied to authentication.
Practitioner guidance
- Track password recovery as an identity metric Separate help desk tickets for password reset, lockout, and recovery from broader support demand so IAM leaders can see where access friction is consuming budget and time.
- Bind self-service reset to stronger proofing Require MFA, device trust, or equivalent assurance before allowing recovery, and log every reset so the recovery path is auditable across the enterprise.
- Use reset data to justify passwordless migration Compare reset volume, lockout frequency, and support cost before and after rollout to show whether passwordless methods are reducing operational friction.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Specific self-service password reset workflow examples for enterprise environments with mixed legacy and modern applications
- How the vendor positions enterprise access management as the container for recovery, authentication, and governance
- Operational examples of passwordless methods such as device trust, biometrics, and contextual login signals
- The article's cost-saving framing for help desk reduction and employee productivity improvement
👉 Read Imprivata's analysis of self-service password reset, IAM cost, and passwordless access →
Self-service password reset: what it changes for IAM teams?
Explore further
25/06/2026 11:21 pm
Password recovery is not a support edge case. It is a structural IAM cost centre. The article is right to treat reset volume as a business problem because the failure is systemic, not occasional. Password-based recovery keeps absorbing time, money, and user attention long after organisations assume the issue is solved. Practitioners should read this as a sign that recovery design belongs in identity architecture decisions, not just service desk planning.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant behaviour gap in day-to-day control execution.
A question worth separating out:
Q: What is the difference between self-service reset and passwordless authentication?
A: Self-service reset still depends on passwords, but it changes who performs the recovery and how it is authorised. Passwordless authentication removes passwords as the primary login factor altogether, which reduces the need for recovery in the first place. In most programmes, self-service is the short-term efficiency move and passwordless is the longer-term structural fix.
👉 Read our full editorial: Self-service password reset reduces IAM cost and user friction
