I've been asked to advise a large organisation about best practices for passwords and password reset.
Calls to customer service cost the client millions so the password issue is a huge concern.
At the moment it's fairly obvious what the problems are: very strict password creation rules compounded by two factor authentication which are letters of a secret answer. The secret answer is created at account signup and is of 'hidden password' type. ie another password. This sounds 'sub optimal'.
To reset the password, a user has to call the call center for a manual reset. Again, this is sub optimal.
I need a heavy evidence base to support my recommendations:
Free password creation with strong/weak indicator. Maybe minimum limit would be an idea but I'm certainly going to kill off special character rules.
I want two factor authentication but I'm not sure what's best practice; text to mobile phone or selected entry from a secret second word
For password reset there will be option to send reset via email or mobile but I need another pattern when the user has access to neither. Has anyone got any suggestions for this? At the moment they have 'answer five questions about your account' which sounds risky.
I'll be pushing very hard against internal teams who will not want to change data tables containing password creation rules. If I can't get past this, I ain't got much chance of making anything usable, I fear.