Notifications
Clear all
Topic starter
25/06/2026 10:42 pm
TL;DR: Password resets and authentication issues can account for 10-50% of help desk calls, and 20-40% of those calls could be avoided with self-service capabilities, according to Gartner cited by Imprivata. The real issue is not user inconvenience but an IAM operating model still built around high-friction passwords and avoidable support load.
NHIMG editorial — based on content published by Imprivata: password resets, self-service recovery, and passwordless access
By the numbers:
- Password resets and authentication issues can account for 10-50% of help desk calls.
- 20-40% of those calls could be avoided with self-service functionalities.
Questions worth separating out
Q: How should organisations reduce password reset volume without weakening access control?
A: Use self-service password reset only when the reset flow is protected by strong verification, audit logging, and policy enforcement inside a governed IAM or enterprise access management model.
Q: When does self-service password reset create more risk than it removes?
A: It becomes risky when the recovery workflow is easier to abuse than the original login process.
Q: What do security teams get wrong about passwordless authentication?
A: They sometimes treat passwordless as a front-end user experience change rather than a governance shift.
Practitioner guidance
- Measure password recovery as an access control cost Track password reset volume, lockout frequency, and mean time to restore access alongside help desk metrics so identity leaders can see where access design is driving avoidable operational load.
- Require strong step-up verification for self-service resets Use multifactor authentication, trusted device checks, or biometric verification before allowing password changes so the self-service path does not become a weaker recovery route than the help desk process it replaces.
- Embed self-service inside a governed enterprise access model Tie reset policies, audit logging, and access workflows to your enterprise access management architecture so support deflection does not come at the expense of visibility or policy consistency.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Examples of self-service password reset workflows built for regulated and high-friction enterprise environments
- The way Imprivata positions enterprise access management as the framework that makes self-service governable
- Passwordless transition details, including the access signals and login scenarios the vendor says matter most
- The article's practical framing for healthcare and other sectors where uninterrupted access is operationally critical
👉 Read Imprivata's analysis of self-service password reset and passwordless access →
Self-service password reset: what it means for IAM teams?
Explore further
25/06/2026 11:21 pm
Self-service password reset is a control design response to identity friction, not a UX feature. The article shows that password problems become operational debt when every recovery event must be mediated by IT. That debt appears as help desk volume, lost productivity, and inconsistent enforcement across systems. The practitioner conclusion is that reset workflows should be treated as part of the identity control plane, not a separate support function.
A few things that frame the scale:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
A question worth separating out:
Q: How can IAM teams tell whether self-service is actually improving operations?
A: Look for lower password reset volume, shorter time to restore access, fewer help desk calls tied to authentication, and fewer unsafe workarounds from users. If those indicators do not improve, the self-service workflow may be shifting effort rather than removing it. A real gain shows up in both support load and user productivity.
👉 Read our full editorial: Self-service password reset and passwordless IAM cut hidden costs
