10 Best Self-Service Password Reset (SSPR) Software / Products
What are the 10 best SSPR solutions for you to consider for your SSPR project?
We think you can find more than 100 products with a self-service of password resets included somewhere – somehow. We have however selected 10 SSPR products which you can select as stand-alone SSPR solutions no matter your present set-up, and which we meet in competitive SSPR situations for midsized and large organizations.
This guide is primarily intended for organizations from 500 users and upwards (+100,000 users), so products focusing on smaller accounts have been left out.
The products are from:
All products have been compared against the chosen criteria:
*No email required
Overview of Solutions
If you have implemented or worked with Identity Management solutions you have learned how complicated your own organization is, and how difficult it is to match reality to the simplicity of the solution. What looked so simple in the demonstrations before buying has now become complex, because you have an unlimited number of different scenarios.
It is the same situation for SSPR solutions. Different countries, different divisions, different security sensitivity, different devices, different languages and more. Don’t expect that one set of rules and processes will satisfy your situation.
If this flexibility is not present, you’ll not be able to get the user acceptance, or you might not even be able to offer the solution to significant number of users. It will degrade your productivity case.
FastPassCorp is dedicated to solutions for password security and secure identity verification. The first version was developed as a general add-on to Identity and Access Management solutions. Later the focus was expanded to integrate with popular ITSM solutions, as much focus was on the service desk productivity.
To integrate with many different solutions and organizations FastPass is strong in configurational flexibility.
FastPass adds functionality for corporate passwords like SAP, Oracle; IBM and others for as well Synchronization as Direct Password Reset.
To protect the password reset process in service desks Identity Verification Manger module has been added, which protects against social engineering (Vishing)
FastPass Enterprise is available on-premise/cloud and as a multi-tenant version
ManageEngine has a portfolio of products within:
In the group “Active Directory Management” you will find: ADSelfServicePlus which includes self-service of password reset.
A Standard and a Professional Version are available. Our comparison is based on the professional version. As ADSelfServicePlus is part of a large family of products investigate what products the functionality you are interested in come from.
The ManageEngine solution offers synchronization to some systems, but don’t offer Direct Password Reset for other passwords than Windows.
ManageEngine has a wide range of MFA offerings.
There is a good integration to ManageEngine’s own IT-service desk product, but check how it will work with your ITSM tool.
Regarding localization you might be short of all the languages you need.
If you are licensed for Azure Active Directory Premium you have access to Azure AD self-service password reset. If you don’t have this license it is rather expensive to get if your only requirement is password self-service.
The self-service functionality is well integrated into the users’ flow. As with other Microsoft offerings it is with an entire focus on Microsoft’s other products and services.
Don’t expect to find synchronization or direct password reset to other types of passwords.
Many popular MFA devices are not available with Azure. It is possible to configure your central ActiveDirectory to have some kind of password synchronization between the two directories. Both Azure AD Free and Business standard does not enable users to reset, change or unlock their password within a hybrid on-premise environment. The on-premise writeback feature using AD Connect requires Azure AD Premium 1, Premium 2 or Microsoft 365 business premium which comes with a significant cost.
MFA options must be defined for all users and cannot be tailored per user group
Can only enforce a maximum of 2 MFA options
Microsoft always have strong language support. It is however not possible to localize the customer’s own security questions – making global rollout difficult.
Microsoft Identity Manager (MIM)
If you are not licensed for Azure Active Directory Premium and still want to use Microsoft products then Microsoft Identity Manager MIM offers self-service of passwords.
With MIM you have a very limited choice of authentications. The basic function for Windows Desktop login is phone based call back. For WEB-based authentication it is the phone call back or SMS.
In MIM synchronization of passwords is enabled you have access connectors to many corporate passwords. SAP doesn’t appear amongst them.
Everything about enrolment is integrated into the enrolment regarding the identity process in general.
This is a service only of interest for dedicated Microsoft installations!
Owned by MicroFocus, a software distributor and producer with a very high number of products.
“NetIQ Self Service Password Reset is a simple, secure and easy-to-deploy password self-service application that helps users reset or re-enable their own network passwords”
NetIQ is an Identity Management platform which includes SSPR. It is possible to get SSPR stand alone, and this guide evaluates it as a stand-alone SSPR product. Together with the IDM solution more options are available, but then it is an identity Management project, which is a much more complicated project to engage in than an SSPR project.
Self Service Password Reset directly integrates with most enterprise environments that utilize LDAP compliant directories such as Microsoft Active Directory, eDirectory, and Oracle
NetIQ password synch available with Microfocus Identity Vault.
HelpDesk integration limited to support the light service
Few languages for localization.
OKTA is primarily known for its product for Identity Management, Multi Factor Authentication and Single Sign On.
OKTA SSPR can be independent – but many functions you will expect in an SSPR solution is delivered from the OKTA engine which is an Identity product. It makes it difficult to compare to other SSPR products.
In OKTA SSPR you will not find password synchronization, but OKTA will expect you to find this in their SSO product!
The end-user authentication is surprisingly limited: email or SMS plus questions
Beware when reading about the OKTA password self-service. Often it means password self-service for the OKTA Identity product and not Windows password!
Quest offers a wide range of software products. One group is focused on Identity Management: For Quest this is OneIdentity which offers an SSPR module as well.
OneIdentity password reset for other types of passwords than AD is based on the OneIdentity Identity Management product and is not integrated in the SSPR.
Q/A based authentication is limited to SMS/Email, questions and OKTA.
Languages for multiple countries are limited and not flexible.
We see no support for the assisted password reset process in the service desk.
Overall a solution which seems to be an easy to add solution for the Identity Solution.
Specops has a number of products for AD administration and self-service and has for many years offered a password self-service tool Specops Password Reset.
This product has recently been surpassed by the new uReset which is cloud based. As this seems to be the favorite offering for new accounts we have used uReset for this comparison. If you want Specops to deliver an on-premise version you must go for the older version.
uReset is only for Windows passwords.
It has a comprehensive set of authentication options available.
For localization uReset still seems to be at the beginning as only 7 languages are available, making it difficult to get end-user acceptance internationally.
Thycotic is a well-known supplier of security software. For passwords they have been successful with the solution for privileged password management: PAM.
Thycotic delivers a solution for end-user password reset SSPR too.
This is however a simpler solution with support for Windows passwords only and a very limited scope for authentication limited to email, SMS and questions.
It might be the right solution for customers of other Thycotic products.