Every customer I know that is interested in password management inevitably asks for Q&A based self-service reset because that is the standard today. These customers quickly learn how inaccurate such a system is and these systems can generate as much or more of a burden on IT helpdesks than the original expired password was. After all, before this "new process" I just called the helpdesk, they reset my password and it worked - now I have to struggle through this "new and improved process" leading to further frustration and lost productivity. Case in point, my recent email to the Media Relations department (the closest email I could find to the business) at ING Direct where my savings account is:
To Whom It May Concern,
I’ve had a rather unsatisfactory experience with your PIN login and reset feature exposed on your ING Direct website. After several calls to your help desk they are unable to reset the PIN over the phone and my attempts at resetting it online are frustrated by the fact that at least one of my security questions is no longer valid. As an Architect in the Identity and Access Management space I can say that this method of password/PIN reset is inherently flawed as the information captured is relative to the time it was given and the answer to these questions will change over time leading to inaccuracy.
I’m sending this email to your department since you are most likely related to the business components within ING and not the technology side. Therefore, your requirements for ease of use and security can drive change in the customer facing portals and improve the overall customer satisfaction.
I would strongly urge you to consider implementing a technology like Windows CardSpace or OpenID. These technologies provide a secure method of authentication to web applications without the need to remember a unique account name and password for each site. While the company I work for – Ensynch, Inc, would love a chance to speak to you about this the most important consideration for ING is to reduce help desk support costs and improve the customer experience of which both of these technologies were designed to accomplish. Windows CardSpace also has the added benefit of providing additional phishing and identity theft deterrence built-in and the implementation of either technology would be a very small investment considering the amount of money you are spending servicing login support and mailing out PIN reset letters.
I now lose 5 to 7 days of service while I wait for them to mail me a piece of paper with my new PIN on it and that was after spending 10 to 15 minutes speaking to customer service reps. Conservative estimates would place the cost of that call anywhere from $7 to $35 while most enterprises spend as much as $150 per call to the helpdesk. Combine that with the lost earning ING takes while I'm not able to transfer money and this ends up being an expensive transaction.
Q&A password reset gating is not the answer here folks - the only practical alternatives internally are centered around SmartCard solutions but in the B2C realm this boils down to InfoCard based transactions. The password/pass-phase is dead - please let it rest in peace. PIN's aren't much better but in conjunction with SmartCard self-service they are the best we have currently. Personally, I'd love to see managed InfoCards used to replace or supplement the PIN reset process as well.
0 comments:
Post a Comment