Password reset requests take up a lot of your Help Desk technicians’ time. Save time and money with a self-service password reset tool.
Here is our list of the best self-service password reset tools:
- ManageEngine ADSelfService Plus – EDITOR’S CHOICE This system implements a self-service password reset utility for users and also multi-factor authentication and single sign-on with an option to use iOS or Android mobile devices for identity proof and interacts with Active Directory. Available for Windows Server, AWS, and Azure.Access a 30-day free trial.
- N-able Passportal Blink An add-on for the Passportal password locker system that implements SSPR. This is a cloud-based service.
- FastPass SSPR A self-service password reset tool that interfaces to many ARMs, including Active Directory. Available as a cloud-based SaaS platform or for installation on Windows Server.
- Avatier Identity Anywhere An identity and access management service that can implement a number of methods for self-service password reset, including proof of identity with a mobile app.
- Specops uReset Provides an interface to user account records in Active Directory as an SSPR. This is a cloud-based service.
- Okta This cloud-based platform provides customer and workforce user account management packages with SSO and SSPR features.
A self-service password reset system is also known as an SSPR. It can update access rights manager (ARM) records automatically, allowing the user to regain access without the involvement of the Help Desk. Most SSPR services are included with wider packages of credentials management mechanisms, such as single sign-on.
Active Directory enables failed login attempts to be limited, and the repeated entry of an incorrect password can lead to an account being locked out. Tools that update Active Directory or Entra ID (Azure AD) should be able to reset the lockout flag on a user account record.
The issue of password resets is closely tied to system security and ease of access for authorized users.
The Best Self-service Password Reset Tools
Methodology for selecting the best self-service password reset tool for your business
The importance of password security overrides the need to enable users to be able to manage their own accounts, so competence and security are the most important features of a brand that we looked for. Apart from those considerations, these factors were important when we made our selection.
- Requires proof of identity before allowing a password change
- Nice to have a mobile app for multi-factor authentication
- Secure connection to the access rights manager
- Immediate and automatic updates to the ARM
- Integrates password policy enforcement
- Activity logging for security auditing
- Value for money from a self-service password reset system that saves money spent on the Help Desk
We made sure to mix the list with tools that are available on the cloud and others that are delivered for on-premises hosting.
1. ManageEngine ADSelfService Plus – FREE TRIAL
ManageEngine ADSelfService Plus is able to connect directly to applications to update their user account records and will also update mass access rights systems, such as Active Directory and Entra ID (Azure AD). This action is facilitated by a series of integrations that the administrator has to select from a library of plugins when setting up the ADSelfService Plus instance.
Key Features:
- Provides a library of integrations: Connectors to applications
- Updates Active Directory: Interfaces to Active Directory and Entra ID
- Mobile app: Enables identification for multi-factor authentication
- Single sign-on updates: Passes updates to every application as well as Active Directory
- Password policy integration: The SSPR application doesn’t bypass password complexity requirements
Why do we recommend it?
ManageEngine ADSelfService Plus provides a quick way for authorized users to prove their identities through multi-factor authentication in order to get passwords changed. This is a safe and secure system that connects to multiple applications to ensure that all accounts for a user in a coordinated effort.
I found that this package doesn’t let anyone change a user account password. The user requesting a password update has to use at least one of 20 available mechanisms for authentication in order to use the SSPR service. The administrator needs to select which identification methods to use, and then these will be integrated into the password reset process.
Who is it recommended for?
This package is essential for any business. It is able to manage user credentials in Active Directory and many other applications, including cloud services. ManageEngine provides a free edition for small businesses – it is limited to 50 users. Endpoint MFA is available as an add-on and it provides extra levels of security to computers running Windows, macOS, or Linux.
Pros:
- Endpoint login screens: Integrates into login screens for Windows, macOS, and Linux
- Multi-factor authentications: Provides 20 methods for identification
- Synchronization: Sync password changes across ARMs and applications
- Cross-platform operations: Will update accounts on the cloud as well as those you host yourself
- Cloud deployment options: As well as an on-premises package, ManageEngine offers hosting options on AWS or Azure
Cons:
- No SaaS option: Hosting on the cloud has to be on your own account
ManageEngine ADSelfService Plus is available for free, with a Standard edition starting at $245 per year and a Professional edition starting at $345 per year. The software package runs on Windows Server, AWS, and Azure and offers a 30-day free trial.
EDITOR'S CHOICE
ManageEngine ADSelfService Plus is a self-managed SSPR that you can install on your own servers or on a cloud account. The tool provides connectors to a range of authenticators, so only a proven user can change the password of an account. The system also connects to applications to ensure that passwords are updated across the board with one request – users don’t have to try to log into each one in order to update passwords. This provides a single sign-on strategy that coordinates a user’s credentials across all systems. Connecting to Active Directory and Entra ID is an essential service, and a link to the password reset function is added to the login screen for all the endpoints on your system. This is available for Windows, macOS, and Linux. ManageEngine offers a mobile app for iOS and Android to aid authentication. The system also offers administrators the option of using third-party authentication apps, such as Google Authenticator.
Download: Access a 30-day FREE Trial
Official Site: https://www.manageengine.com/products/self-service-password/self-service-reset-password-management-solution.html
OS: Windows Server, AWS, and Azure
2. N-able Passportal Blink
The cloud-based N-able Passportal system is a team-shared password protection system that implements vaults and confidential credentials’ distribution. The ability to log in without seeing passwords removes the resistance to very complex passwords, so the package also provides a password generator. The bundle also offers individual password vaults for team members, and this unit can be extended by Blink, which is an SSPR service.
Key Features:
- A self-service password reset utility: Available for the password vault service offered to individuals
- A team password locker: With password reset management only available to an administrator
- A secure vault for documents: Secure storage for contracts and system secrets, such as encryption keys
- Cross-platform operations: Available for on-premises and cloud systems
Why do we recommend it?
N-able Passportal Blink is an add-on to the N-able Passportal password confidentiality package. This system is mainly used for team password sharing, but the service also offers a password vault unit for individual users. This module provides a self-service password reset add-on – that’s Blink. Passportal also gives you secure storage for important electronic documents.
I noted that the Blink system will only interface with Active Directory, but the main Passportal service can connect to other LDAP-based access rights managers. Blink is intended for use in managing Microsoft products, such as Microsoft 365 and the on-premises Exchange Server, as well as Windows.
Who is it recommended for?
The entire N-able brand is designed for use by managed service providers. The Passportal system is also meant for MSP use, but its personal password vaults and the Blink add-on are intended for end users. That is, MSPs give the users of client companies this system because SSPR reduces the amount of work that they will need to do in order to support users.
Pros:
- Designed for use with Active Directory: Manages accounts for Microsoft products
- Multi-factor authentication: Includes biometric options and Microsoft Authenticator
- Multi-tenant accounts: Designed for managed service providers
- Passcode identification confirmation option: Sends a code to the user’s registered email account or mobile device
Cons:
- Only for Microsoft products: Doesn’t manage the passwords for non-Microsoft products
N-able does not publish a price list, so you must request a quote for Passportal and the Blink extension. Both Passportal and the Blink add-on are cloud-based systems available for a 30-day free trial.
3. FastPass SSPR
FastPass SSPR allows users to reset the passwords for Windows and Microsoft software and its compatibility can be expanded by a library of integrations. The core of the tool is based on Active Directory and Entra ID (Azure AD). The integrations library will simultaneously reset passwords on other systems, which include the ERPs of Oracle and SAP.
Key Features:
- A core package based on Active Directory: Updates passwords for Microsoft products and system access
- Expandable service: Select from a library of integration to applications
- Works for IBM mainframes: One of the few services available for IBM z Series z/OS
Why do we recommend it?
FastPass SSPR lets you right-size its service by providing an essential Active Directory interface and then a library of integrations for other systems. The expansion library of FastPass SSPR extends to the IBM z/OS operating system and the ERP systems of Oracle and SAP, which are rare finds.
I learned that this is a cloud-based system and it is suitable for use by multi-site companies or those that have a lot of home-based workers. Extending SSPR to external users is difficult because it disables a lot of the security measures that can be applied to examine the user’s location and identify a potential intruder. However, this system allows the use of third-party authenticators to enable genuine users to prove their identities.
Who is it recommended for?
FastPass is going to draw a lot of interest from businesses that run IBM z Series mainframes because there are very few password management services that cater to the z/OS operating system. Similarly, the ability to let users reset their ERP access passwords at the same time as changing a password for Windows access is going to be interesting for a lot of businesses. The per-user pricing makes the package appealing to all sizes of businesses.
Pros:
- Suitable for all sizes of businesses: Scalable per-user pricing
- Syncs across applications: Coordinates password updates
- Identifies local credentials caches: Discovers local credentials stores and updates them as well
Cons:
- No version for macOS or Linux: Can be installed on Windows Server
You need to request a quote to get the price of FastPass SSPR. It can be run as a software package for Windows Server and is also available as a SaaS platform on the cloud. A demo is available for further investigation.
4. Avatier Identity Anywhere
Avatier Identity Anywhere is an identity and access management (IAM) service for hybrid systems because it can manage access to both on-premises systems and cloud systems. The platform is divided up into modules and the SSPR service is part of the Password Management unit. The package includes a number of strategies to enable users to prove their identities before a password reset request can be accepted.
Key Features:
- Includes updates to Active Directory: Syncs with applications as well
- A choice of identity-proof methods: The administration can tailor the system during onboarding
- Reset code to mobile device: The user needs to pre-register a phone number with the system to use this option
Why do we recommend it?
Avatier Identity Anywhere is a cloud-based IAM that secures communication by packaging the app in Docker containers. As well as an SSPR, this package provides functions to enable technicians to update accounts by changing passwords. This is particularly useful when dealing with seldom-used accounts.
I discovered that Avatier is one of the few systems on this list that include challenge questions as a method for identity proof. This method was once prevalent but has now become less frequently encountered due to mobile device-based authentication methods. Avatier also includes a mobile app for iOS and Android, so questions are not your only option.
Who is it recommended for?
This is a cloud-based SaaS platform that is charged for a subscription rate per user. That makes the service scalable and affordable for businesses of all sizes. However, it is an entire IAM platform, so companies that just want an SSPR to add to their AD-based system will be overpaying for features that they don’t want.
Pros:
- An entire IAM platform: Not just an SSPR
- Strong integration with Microsoft products: Accessible for login screens
- Secure communications: Protected by Docker containers
Cons:
- More than just an SSPR: You can’t buy the SSPR by itself
You need to request a quote to get the price of Avatier. The Avatier platform is built on Docker and can be assessed with a 14-day free trial.
5. Specops uReset
Specops uReset is based on Active Directory and it darts its service by providing administrators a way to prompt each user to set up a password on a new account. The user can return to the uReset screen through a link in the login screen for a compatible application in order to unlock an account and reset a password. This system will also detect locally cached passwords and update them along with updates for AD records.
Key Features:
- Updates Active Directory: Includes an initial password set up service
- Detects local credentials caches: Updates local stores along with Active Directory records
- Multi-factor authentication: Provides a range of methods to allow users to prove their identities
Why do we recommend it?
Specops uReset updates the login screens of the applications that it coordinates with to provide a link. This link leads to the password reset window. So, users won’t realize that the uReset system isn’t part of the application that they want to access. The password reset service also caters to account lockouts.
I observed that the Active Directory base of Specops uReset makes it appropriate for the management of credentials for Windows and Microsoft products. However, you can also use it for networked resource access. uReset has a library of connectors that enables it to update passwords for other applications.
Who is it recommended for?
uReset is a cloud-based platform and provides a subscription rate per user. That makes the package suitable for any size of business. Although this package is able to manage passwords for applications through its library of connectors, the bedrock of the tool is Active Directory, so you would need to be running that service as your ARM in order to use uReset.
Pros:
- A library of connectors: Can update passwords for third-party tools
- Proprietary mobile app: A mobile-based authenticator for iOS and Android devices
- Suitable for hybrid systems: Updates applications on the cloud as well as those on-premises
Cons:
- Windows first: Not suitable for use with macOS or Linux
Specops doesn’t publish a price list, so you need to request a quote to get the price of uReset. Specops offers uReset on a 30-day free trial.
6. Okta
Okta is a well-known credential management system with two strands of services: Customer Identity Cloud and Workforce Identity Cloud. Okta provides an SSPR system for both of these platforms. The password reset function is just a back pages utility and not marketed as a separate tool. In fact, it isn’t mentioned on the sales pages for Okta. You have to delve into the administrator’s guide to find out about it.
Key Features:
- A user support utility: Built into both customer and workforce identity and access management services
- Accessible from the login screen: Available on the Settings menu
- Password policy enforcement: Integrates the corporate password complexity rules
Why do we recommend it?
Okta provides a single sign-on system – that is the company’s signature service. The platform is hosted in the cloud and provides a substitute for ARMs, such as Active Directory. The platform also offers multi-factor authentication options. Okta provides account management for customers as well as for employees.
I noticed that Okta provides its own login screen. This includes a Settings drop-down menu and one of the entries leads to the SSPR function for those users who have forgotten their passwords. The user’s mobile phone number needs to be registered on the account before this function can be used. This is because the resolution process involves a reset code that is sent to the mobile by SMS.
Who is it recommended for?
Okta is very successful and attracts a lot of customers because of its SSO service. The SSPR isn’t treated as a product feature, even though it is included in app plans. The plan structure of Okta is quite complicated with the customer account management package divided into B2B and B2C packages. There are three plan levels for the workforce account management service.
Pros:
- SMS recovery code: Sent to mobile devices
- A login screen utility: Available on a Settings menu
- A cloud-hosted service: Delivered as a SaaS platform
Cons:
- Not compatible with group policies: SSPR not available if group policies are in effect
Okta Workforce Identity Cloud has three editions: Light, which starts at $4 per user per month; Medium, starting at $5 per user per month; and Unlimited, starting at $6 per user per month.
Okta Customer Identity Cloud, branded as Auth0 by Okta, offers B2C plans with Essentials starting at $35 per month and Professional at $240 per month.
The B2B plans include Essentials, starting at $150 per month, and Professional, starting at $800 per month.
Both the Customer Identity Cloud and the Workforce Identity Cloud include the SSPR feature, and Okta offers a 30-day free trial of both.
