The task of resetting a password should be straightforward enough to let users do it themselves. We list the best tools for the job.
Here is our list of the best self-service password reset tools:
- ManageEngine ADSelfService Plus – EDITOR’S CHOICE Use this tool to implement self-service password resets, multi-factor authentication, and single sign-on for Active Directory. This package includes mobile apps for iOS and Android and will run on Windows Server, AWS, and Azure. Get a 30-day free trial.
- N-able Passportal Blink This is an add-on that provides SSPR to the cloud-based Passportal password management system, which is aimed at managed service providers.
- SysOps Tools Password Reset PRO This on-premises package provides a SSPR function for Active Directory. Runs on Windows Server.
- Okta Get a credentials manager for customer accounts or employee access with SSPR built in. This is a cloud-based service.
- Avatier Identity Anywhere An IAM platform that implements a choice of identity-proof mechanisms in its self-service password reset system. Runs over Docker.
- FastPass SSPR This self-service password reset tool can interface to LDAP-based ARMs, including Active Directory, and has the advantage that it can operate for z/OS on IBM mainframes.
- Specops uReset Compatible with Active Directory, this cloud-based tool provides a reset screen off the standard login windows of common applications.
Gone are the days when a system administrator could look at a credential list and see a user’s password. Now, it is impossible for anyone to see a password in storage, so if the user can’t remember it, the only option is to reset it. Ultimately, a password reset has to update the access rights manager (ARM) and there is no reason why a third-party tool can’t update that value, providing an interface for the user instead of reserving that access to technicians.
The most widely-used ARM is Active Directory and so we will focus on systems that interact with that application.
The Best Self-service Password Reset Tools
We have defined the essential requirements for an SSPR.
Our methodology for selecting the best self-service reset tools
Our selection criteria are expressed in these seven points:
- Reset advice built into login screens
- A mobile app for users to provide proof of identity
- Direct updates of the corporate access rights manager
- Synchronization across ARM instances
- Password policy enforcement
- Auditing processes for AD record changes
- Value for money from an SSPR costs less to buy than the savings they create in technicians’ wages
We made sure to include cloud-based systems and on-premises packages.
1. ManageEngine ADSelfService Plus – FREE TRIAL
ManageEngine ADSelfService Plus allows records in Active Directory to be updated and also includes a library of application connectors that extends the SSPR capabilities to well-known applications. The tool interfaces with cloud-based AD systems, such as Entra ID (Azure AD) and Microsoft 365.
Key Features:
- Suitable for hybrid systems: Manages passwords for on-premises and cloud-based systems
- Updates Active Directory: Compatible with cloud-based systems as well as on-premises AD
- Provides a mobile app for identification: Supports multi-factor authentication
- A single sign-on environment: Synch password changes across applications
- Ensures strong passwords: Enforces password policies
Why do we recommend it?
ManageEngine ADSelfService Plus provides a mobile app that enables users to prove their identities before allowing a password to be changed. This is an essential step to prevent intruders from acquiring credentials by hijacking the reset process. The tool will update application access credentials as well as Active Directory.
I found that the package doesn’t just rely on the mobile app for multi-factor authentication. It offers 20 methods in total. The entire setup system for the SSPR is guided within the administration console. This extends to the selection of connectors to applications. The tool simultaneously provides a single sign-on service with this mechanism.
Who is it recommended for?
This tool saves time and money, which will interest any business. There is a free edition available, but that is limited to managing 50 users. Although the tool has a library of connectors to third-party apps, its main purpose is to manage credentials that are stored in Active Directory.
Pros:
- Manages access to computers: Integrates with login screens for Windows, macOS, and Linux
- Multiple authenticator methods: 20 options available in the higher plan
- Password synching: Applies changes across AD domain controllers
- Free edition: Limited to managing 50 users
- Cloud hosting option: Available on AWS or Azure as well as on your own server
Cons:
- No SaaS plan: Cloud hosting has to be on your own account
ManageEngine ADSelfService Plus will run on Windows Server and you can get it as a service on AWS Marketplace and Azure Marketplace. The software is offered on a 30-day free trial.
EDITOR'S CHOICE
ManageEngine ADSelfService Plus will appeal to businesses that use Active Directory as an access rights manager. That includes those that operate Entra ID on Azure or have accounts in Microsoft 365. The system is also able to manage passwords for third-party tools through a library of connectors. The service offers 20 different methods to enable users to authenticate themselves before being allowed to change passwords. A link to the reset option is inserted into the login screens for the systems that the package caters to. ManageEngine also offers a mobile app for iOS and Android, which provides one method for users to prove their identities. The package can also be used to impose multi-factor authentication and facilitates a single sign-on environment.
Download: Access a 30-day FREE Trial
Official Site: https://www.manageengine.com/products/self-service-password/self-service-reset-password-management-solution.html
OS: Windows Server, AWS, and Azure
2. N-able Passportal Blink
N-able Passportal Blink is a paid add-on for the Passportal system on the N-able cloud platform. The main purpose of the Passportal system is to provide a vault and confidential distribution processes for the shared credentials used by support teams. The entire N-able platform is designed for use by managed service providers. As well as the technician team password management service, the tool offers credentials management services for the users of MSP clients. These are the accounts for which Blink is designed.
Key Features:
- A password vault: Manages shared credentials for support technicians
- Management of end-user credentials: This is where Passportal Blink applies
- SSPR for users: Interfaces to Active Directory
- Covers cloud systems as well as on-premises applications: Suitable for hybrid environments
Why do we recommend it?
N-able Passportal Blink is an addition to the credentials management functions of N-able Passportal – it doesn’t apply to the password management system for the support technicians. Passportal isn’t just limited to Active Directory because it can connect to other LDAP-based ARMs as well. However, Blink will only update AD records.
I noted that the Blink system will only enhance part of the Passportal service – it doesn’t make sense to allow technicians to update shared passwords. It is exclusively based on Active Directory and limited to managing the passwords for Microsoft products, such as Microsoft 365 and Windows.
Who is it recommended for?
Passportal is designed for use by managed service providers, and the Blink add-on specifically operates for end user credentials. This tool will only interface to Active Directory and it can only be used to update the passwords for Microsoft products.
Pros:
- Updates Active Directory: The main Passportal package can interface to other LDAP systems
- Multiple identity verification options: Biometric options are available
- Designed for managed service providers: Has a multi-tenant architecture
- A passcode option: An emailed or SMS passcode to a mobile for verification
Cons:
- Limited to Microsoft products: Can’t manage passwords for Linux or macOS systems
Both Passportal and the Blink add-on are offered on a 30-day free trial.
3. SysOp Tools Password Reset PRO
SysOp Tools Password Reset PRO interfaces with Active Directory that lets a user set up a password on a new account and also reset a forgotten password on an existing account. This tool is an on-premises package that delivers a Web interface for access.
Key Features:
- A third-party SSPR: Enhances Active Directory
- A Web-based interface: Can be accessed through any standard Web browser
- Suitable for hybrid systems: Interacts with Entra ID and Microsoft 365 as well as on-premises Active Directory
Why do we recommend it?
SysOp Tools Password Reset PRO is a useful lightweight addition to Active Directory, covering cloud-based domain controllers as well as on-premises instances of Active Directory. The service presents a Web-based interface to users, which can be accessed through any standard Web browser. This is a software package for Windows Server.
I learned that this tool doesn’t provide an administrator screen, which many might find odd, but SysOps ranks this as a security feature because there is no easy way in for hackers. The changes made by users get immediately updated in Active Directory without the need for temporary storage.
Who is it recommended for?
This is a fast and efficient SSPR that directly updates Active Directory without leaving any shadow copies of data anywhere on your system. This is a secure tool that provides compliance with PCI DSS, HIPAA, and SOX. The tool is suitable for any business because the security of user credentials is paramount.
Pros:
- A secure system: Does not use any staging area for credentials
- Standards compliance: Suitable for companies that follow PCI DSS, HIPAA, or SOX
- A pure SSPR system: Doesn’t offer SSO or multi-factor authentication
Cons:
- No cloud version: This is an on-premises package
The software for Password Reset PRO installs on Windows Server and you can get it on a 30-day free trial.
4. Okta
Okta is a credentials management platform that offers two packages: Customer Identity Cloud and Workforce Identity Cloud. These are full service identity and access management (IAM) services that just happen to have an SSPR system built into it. Okta doesn’t offer its SSPR as a standalone package and doesn’t even mention the feature on its sales page.
Key Features:
- Management for customer and employee accounts: Two separate cloud-based packages
- Included in all plans: A self-service password feature is accessible on every login page
- Password policy management: The SSPR function with password policies
Why do we recommend it?
Okta is a top-draw IAM package that is famous for its SSO service. The login screen for an Okta-managed account includes a Settings link, and that menu provides a password reset option. This feature is included in both the customer account and employee account management systems.
I discovered that each user account needs a mobile number recorded on it. The user selects Forgot Password from the Settings menu on a login screen, and that leads to the Password Reset screen. On command, the system will send a reset code by SMS. The user then enters this code into the rest screen for verification.
Who is it recommended for?
Okta has an excellent marketing team and many businesses will encounter advertising for this tool. It is a top-drawer system that provides features such as the SSPR service as a matter of course and doesn’t even advertise it. Essentially, this SSPR is a nice surprise waiting for buyers of the Okta system.
Pros:
- SMS-based reset code: Users get a message containing a reset code
- SSPR is included in every login screen: Look at the Settings menu
- Hosted on the cloud: Removes the need to maintain the Okta software
Cons:
- Clashes with group policies: You don’t get the SSPR feature if you operate group policies
Okta is a cloud-based system and you can get a 30-day free trial of both the Customer Identity Cloud and the Workforce Identity Cloud platforms.
5. Avatier Identity Anywhere
Avatier Identity Anywhere is an identity and access management (IAM) system that is delivered over Docker. The package is able to manage user accounts for on-premises resources and cloud services. This is a platform of modules and the SSPR service is included in the Password Management unit. The system provides a range of strategies to enable users to prove their identities during the password reset process.
Key Features:
- A range of identity-proof options: The administrator chooses a policy from a list of options
- Phone-based proof: An option to set up an automated system that sends a reset code to a mobile phone
- Questions for identity proof: Choose to allow users to nominate a set of questions for a challenge
Why do we recommend it?
Avatier Identity Anywhere is a full IAM package rather than an add-on for Active Directory. The system provides a number of options to enable a user to prove identity when implementing a password reset. The service allows administrators to keep their LDAP system for storage and use the Avatier service as an administration front end.
I observed that this service allows the creation of a hybrid system with storage on site and an administration console on the cloud. It also provides an option to host your records within the system on the cloud. The tool offers a number of validation options, including a reset code sent by SMS, a mobile app for iOS and Android, and challenge questions. The reset screen also operates as an initial password setup interface for new accounts.
Who is it recommended for?
Avatier is a SaaS IAM that offers the option for buyers to integrate their existing on-premises directory or port everything into the platform. The SSPR service is one element in the package. The subscription rate for the package is levied on a per-user basis, which makes the package scalable. However, this system is probably more suitable for large organizations.
Pros:
- A flexible package: You can choose to integrate your existing on-premises directory into the IAM
- Adds a link into login screens: For Microsoft products
- Secure delivery: Protected by Docker containers
Cons:
- Not a standalone SSPR: You can’t just sign up for the SSPR
The Avatier platform is a SaaS package that is hosted in the cloud. Try it out with a 14-day free trial.
6. FastPass SSPR
FastPass is compatible with Active Directory and Entra ID (Azure AD). It provides a reset function for Microsoft systems, including Windows. In addition to its Windows compatibility, this package provides connectors through to third-party systems, many of which run on other operating systems. This is one of the few password management systems that will operate for software running on z/OS, the IBM mainframe operating system. You can also manage passwords for the ERP systems of Oracle and SAP.
Key Features:
- Active Directory account resets: For system resources and Microsoft products
- Resets for ERPs: Including Oracle and SAP
- IBM mainframe compatibility: Works for accounts on IBM z Series z/OS
Why do we recommend it?
FastPass SSPR is provided by a long-running and highly respected IAM brand. The self-service password reset system is able to manage accounts for many systems that other SSPRs just can’t reach. The tool is particularly unique in its availability for accounts on IBM z/OS mainframes.
I noticed that this system is able to service remote users, which is a risky proposition because it provides opportunities for other outsiders: intruders. The FastPass system includes a choice of methods that can be set up to challenge users to prove their identities before allowing a password reset.
Who is it recommended for?
This package has a subscription rate per user, which makes it suitable for any size of business. There are discounts for larger numbers of users, thus, bigger businesses will get a better price than SMEs. The package will appeal to businesses that run technologies that have few SSPR options, such as IBM z Series mainframes.
Pros:
- A subscription rate per user: Suitable for all sizes of businesses
- Support password resets for Windows access: This function is available for home-based users as well as those in the office
- Updates credentials caches: Discovers and manages local password stores
Cons:
- No version for Linux: This package is a SaaS platform or a software package for Windows Server
Get more information about FastPass SSPR by accessing a demo.
7. Specops uReset
Specops uReset integrates with Active Directory. It places a link on login screens that leads through to the straightforward uReset window. This interface can be used to set up the password for a new account, reset a password, or resolve an account lockout. The tool also updates local credentials caches.
Key Features:
- Updates Active Directory: writes directly to AD records
- Updates password local stores: Identifies and maintains local credentials caches
- Multi-factor authentication: Provides methods for users to validate their identities
Why do we recommend it?
Specops uReset adds an extra page to log in Windows, leading to its own screen for resets. The tool is straightforward and immediately updates Active Directory. It will also update local caches. The full password management system can check on the user’s location as part of its validation process.
I found that this tool takes care of Windows and other Microsoft systems through its link to Active Directory. The package includes connectors to other software as well. In each case, the integration adds a link to the package’s login page that leads to the uReset system.
Who is it recommended for?
Specops is hosted in the cloud and it is able to interface with Active Directory on your premises and also cloud-hosted AD systems, such as Entra ID. The package is suitable for any business that uses Active Directory for its access rights management system.
Pros:
- Suitable for hybrid systems: Interacts with Enta ID as well as Active directory
- Includes a mobile app: A proprietary authentication tool for iOS and Android
- A cloud-hosted service: No need to ghost it yourself
Cons:
- Stronger for Windows: Not suitable for macOS or Linux computers
Try out Specops uReset by accessing a 30-day free trial.
