Surf’s up – Are You Ready For the Tidal Wave of Forgotten Passwords?

By Torben Andersen, Chief Commercial Officer, SMS PASSCODE

Tidal wave of forgotten passwords

It is summer, surf is up and most of us already have or are planning to take some time off to relax and reload our batteries.

Now I don’t want to spoil your vacation or cause unnecessary stress, but have you thought about what happens when your employees return from summer vacation and cannot remember their passwords?

Statistics suggest that as much as 20-50% of all help desk calls are related to password problems, and the scenario with forgotten passwords after a vacation is classic and a real pain to many IT departments year after year. When I attended Infosecurity Europe in London back in May I had the pleasure of speaking with many IT professionals visiting our booth. During these conversations, it quickly became clear to me that passwords are a real curse for IT managers. Main concern of course is the fact that passwords today offer no real protection as a means of authentication, but the security aspect aside, forgotten passwords typically requires the IT department’s involvement to get the users back online, and the IT managers I spoke with dreaded the spikes in help desk calls they receive around the holiday periods.

However, it doesn’t have to be that way. SMS PASSCODE’s Password Reset Module takes this pain away by enabling users to easily reset their own Active Directory passwords in a secure way.

How does it work?

So how does our Password Reset Module work? Well to illustrate a situation where a user forgets his/her password and is locked out, we made this short video. Take a look.


As you can see from the video the process of resetting the password is easy, intuitive, and the user is quickly back online. However the latest release of Password Reset Module also features the possibility of alerting users when their password is about to expire.

By coincidence my own password was up for renewal yesterday, so thought I would write this blog to share the experience from a user point of view and to highlight how the notification process around password renewals actively helps avoid user lockout situations in the first place.

First I received a text message saying “Your password will expire in 3 days. You can set a new password here” and then had a link to the self-service site. Not only was this message timely (informed me BEFORE my passwordSMS expired), but it also allowed me to take action and reset the password by clicking the URL.

I clicked the link in the message and was forwarded to the SMS PASSCODE Self-Service website, where I was guided through the process step-by-step. I completed the process directly from my iPhone. No need to open up a browser on my laptop or to pinch to zoom in on the screen of my mobile phone.

SMS PASSCODE Password Reset Module

In terms of security the Password Reset Module can be configured to look at my location and then determine the level of authentication needed before I can reset my password. In my particular case the solution identified that I was in a trusted location (inside the office building) and I was prompted to enter a One-Time-Passcode (OTP) that was sent to my mobile phone.

This was a an interesting step as the flash SMS with the OTP popped up on top of the self-service site requiring me to remember the code after hitting OK on my screen. Luckily SMS PASSCODE’s memoPasscodesTM feature means all our codes are easy to remember, and I had no problems during this step. memoPasscode

The entire process of setting a new password took me less than 3 minutes.

I hope this post describes just how convenient a password reset process can be, and how it can empower your users to get back online without having to contact the IT department.

It is easy to use and requires no software to be deployed on the users’ phones. More importantly, it can help you avoid that nasty tidal wave of inbound phone calls and emails from frustrated users who have forgotten their password after their summer vacation.

Have a good summer everyone.

It’s a Bird…It’s a Plane…It’s SMS PASSCODE Version 7.2

By Claus E. Kotasek, CEO, SMS PASSCODE

It's a Bird...It's a Plane...

Today is a big day for the team here at SMS PASSCODE as we release SMS PASSCODE 7.2.

As most of you will recall we released version 7.0 earlier this year, which introduced a number of unique features to the market. Features such as Secure Device Provisioning (included as standard in the SMS PASSCODE MFA license) that enables secure and convenient self-enrollment of ActiveSync devices into an organization without the need to contact IT. This greatly reduces the complexity IT administrators face around Bring Your Own Device, and the demand for this particular feature is growing rapidly as more and more users utilize the flexibility of using their own devices in the company IT environment offers. Another innovation we introduced was Contextual Message Dispatching (also referred to as Location Aware Dispatching) where the One-Time-Passcode (OTP) delivery method is determined by the location of where the user are, or any preferences the individual user may have. As an example, you can configure the system to prefer SMS over voice call dispatching during logins from Europe, while preferring voice call over SMS dispatching during logins from North and South America. Or you can send one-time-passcodes to your mobile phone by default, but perform a voice call to a fixed-line phone number when you are logging in from a branch office. The choice is yours as you have full flexibility to configure SMS PASSCODE to your particular requirements. Also after we added OATH token support, customers now benefit from an even broader range of OTP delivery methods. This was indeed an exciting milestone for us, and now it is with great pleasure that we make version 7.2 available for download.
Particularly our Password Reset Module has been enhanced with a number of rich features in version 7.2 making this product a truly unique and powerful solution for convenient and secure password reset.

The main issue with the various password reset solutions available on the market today is that they simply fail in the ‘real world’ as they are not convenient in the moment of truth when the user is locked out and needs to reset their password. With version 7.2 our Password Reset Module is simply deployed on your server without the need to deploy software on the user’s devices. In fact the user doesn’t even need to know about the solution, since SMS PASSCODE conveniently guides the user through the process of resetting the password when the problem arises. A message will be sent to the user’s mobile phone via SMS/text or email once the password is about to expire (e.g. 3 days before). Via a link in the message the user can take action and visit the password reset website directly from their mobile, tablet or PC, where he or she is then guided through the process of resetting the password.

Sounds good right? But wait there is more! The solution can be configured to adapt the level of authentication required to reset the password based on the location of the user. For example if the user is located in a trusted location such as inside the head office, then the old password is enough to successfully reset the password. Whereas if the user is trying to reset the password from a non-trusted location then a personal passcode and OTP would be required.

To learn more about this and other features included in version 7.2 please register for our Version 7.2 Highlights webinar on 26 June or contact us directly


Live from Infosecurity Europe 2014

Infosecurity Europe 2014 – Europe’s largest IT security show is taking place at Earl’s Court in London this week, and our team is on site engaging with the IT community and presenting how SMS PASSCODE ensures safe and easy access for employees logging into corporate networks and cloud applications remotely. User authentication is a hot topic for both the businesses visiting the show as well as the media here at Infosecurity. Below is a short video interview with Torben Andersen, Chief Commercial Officer at SMS PASSCODE, that talks about some of the reasons why businesses of all sizes are concerned about keeping their data safe from hackers, and why multi-factor authentication is the most natural place to start when building your defense. In the interview Torben also covers the impact of the Heartbleed bug and goes on to explain what adaptive user authentication is and why it is the next generation in multi-factor authentication.

Could SMS PASSCODE protect end-users from the Heartbleed flaw?

During the past week voices from across the industry have been commenting and predicting on the Heartbleed flaw. So to avoid speculation with regard to SMS PASSCODE, we should like to be clear. SMS PASSCODE is not affected by the Heartbleed flaw – Neither the product nor the company.

In fact the Heartbleed flaw emphasizes the need for session specific Multi-Factor Authentication. The vulnerability enables a hacker to obtain random data portions from a web server’s memory, which dramatically increases the risk for successful phishing attacks. With SMS PASSCODE in place however, even if a hacker manages to lift user credentials of a server’s memory, his chance of gaining access to the company network is infinitely slim.

So with due respect to the devastating impact of the flaw the answer to the question is: Yes, SMS PASSCODE could definitely protect end-users from the Heartbleed flaw.

VERSION 7.0 BLOG – The wait is over

By Claus Rosendal, CTO, SMS PASSCODE

Thank you for following my blog posts about version 7.0, I hope they helped give you a sense of the features included in version 7.0 while waiting for it to be released.

I am very excited that the release of SMS PASSCODE 7.0 is now a reality. Our team has done a remarkable job on this release, and I am proud to see us continue our technology leadership with version 7.0.

But enough talk, it’s time to check it out for yourself.  The wait is over.






Note: All customers and partners will receive information via email on how to upgrade to SMS PASSCODE 7.0 later today. If you need help completing your upgrade, please contact our support team 

VERSION 7.0 Blog – Reducing BYOD complexity

By Claus Rosendal, CTO, SMS PASSCODE

It seems like everyone has an opinion on “bring your own device,” or BYOD. No matter what your viewpoint is, it’s increasingly clear that employees’ use of personal devices for work purposes is growing, and that increased worker connectivity opens up new opportunities for businesses.

Make no mistake: BYOD continues to cause friction between IT and employees who want the ultimate in flexibility and access to information, posing a huge headache to system administrators. In recent years, we have observed BYOD blossoming into BYOE, or “bring your own everything.” In BYOE, employees blur boundaries by bringing not only their own smartphones, tablets and laptops to the office, but also their own applications and networks. This infusion of personal devices, apps and networks into the corporate environment presents a significant security challenge, as controlling access to corporate data and network assets is complicated by the presence of devices, networks and applications not fully under the IT department’s control.

Compounding the BYOE problem, mobile devices today often use ActiveSync – the PIM-data synchronization application from Microsoft – to automatically synchronize email, calendars and other information. Today users obtain access to their PIM data by simply entering their email address and their Windows password on their mobile device. Based on the settings of your Exchange Server the device will either be automatically approved and the data synchronization will begin. This however presents a security vulnerability because the users are only poorly authenticated by their username and password (single-factor authentication). Alternatively the device will be quarantined until manually approved by the administrator. The problem with this approach, especially in larger companies, is: How does the system administrator know, whether to approve a quarantined device or not? How does he distinguish between a valid user device and a hacker attempting to get access to a user’s e-mail using the ActiveSync protocol?

This is where SMS PASSCODE version 7.0 comes in. With version 7.0 we introduce Secure Device Provisioning which allows users to easily approve new devices by themselves without compromising security. Once a user activates ActiveSync on the device he/she will receive a quarantine email with a link to a Self-Service website where the user can approve the new device with a single click, after having authenticated themselves via SMS PASSCODE’s Multi-Factor Authentication platform.

Secure Device Provisioning is convenient for the users as they get easy access to data on their new device when and where they need it, and without having to contact IT for approval. This frees the burden on IT departments and reduces complexity around supporting a mobile workforce with a growing amount of devices in a secure way. As you might imagine, we are very excited about introducing this new feature.

Join me again tomorrow for the last post in my “seven days of version 7.0” blog series.

VERSION 7.0 Blog: The lost password dilemma – finally solved?

By Claus Rosendal, CTO, SMS PASSCODE

“Sorry but you have entered a wrong username or password, please try again”. It’s 9.00 AM Monday morning and you are staring at the screen after the first two failed login attempts, trying hard to recall your password, and wishing you had stronger coffee. We have all been there.

Many companies enforce a strict password security policy where users have to change their password every 60-90 days, and on top of that your new password must often contain a minimum of 10 characters and feature both capitalized and non-capitalized letters as well as numerical values and symbols. Sound familiar?

Whether so-called ‘strong’ passwords like this actually increase security and prevents you from being breached is an interesting question (I will save that for another blog post!), but what is more interesting is the fact that having to remember and frequently change difficult passwords causes frustration for your employees. The dilemma of forgotten passwords is here to stay as long as there are passwords to remember, but luckily there are solutions such as our Password Reset Module that helps reduce the sting of a forgotten password, by empowering the employees to easily reset their passwords in a secure way, without having to contact the IT helpdesk. With version 7.0 our Password Reset Module becomes its own stand-alone product in our portfolio, and I encourage anyone looking to minimize the frustration and lack of productivity caused by forgotten passwords to check it out. Of course there are also alternative solutions out there, and American talk show hostess Ellen Degeneres discovered a very creative way of storing all your passwords so you never forget them again. The solution is elegantly presented in this short video.


Join me again tomorrow for my next blog in our 7 days of version 7.0 blog series.


Get every new post delivered to your Inbox.

Join 72 other followers