Home/Products/Advanced SSPR

Advanced Self-Service Password Reset

Not all password resets
are created equal.

Basic SSPR resets passwords. MyPass Advanced SSPR adapts to who is asking, from where, and what context they are in — applying the right level of verification for every user, every scenario, every system.

Book a Demo Start a PoC
40%
Reduction in IT support tickets
90%+
Achievable user adoption rate
30+
Languages supported
55+
Suspicious activity triggers

Levels of Assurance

The right verification for
every user and every risk

A standard employee resetting a forgotten password requires a different level of proof than a sysadmin recovering a privileged account. MyPass lets you define exactly how much verification each scenario demands — and enforce it automatically.

Standard Assurance
Everyday Users
General staff, students, shared-workstation users. Low-risk credential, high reset frequency.
  • SMS or email OTP
  • Authenticator app (TOTP)
  • Knowledge-based Q&A
  • Manager approval
Enhanced Assurance
Sensitive Role Users
Finance, HR, clinical staff, managers. Elevated data access warrants stronger proof of identity.
  • MFA + corporate data verification
  • Smart card authentication
  • Duo / Okta integration
  • HR or AD data cross-check
  • Manager + second factor
High Assurance
Privileged & Admin Accounts
IT admins, system accounts, RACF/SAP privileged credentials. Maximum verification, full audit trail mandatory.
  • Multi-factor + manager approval
  • RSA / hardware token
  • Custom data verifiers (multiple)
  • IP / location restriction
  • Mandatory audit log & alert

Assurance levels are configured per user group. Mix and match any combination of methods to meet your exact policy requirements.

Custom Verification

Use your data to verify your users

Most SSPR platforms verify users with generic questions or SMS codes. MyPass goes further — it can pull verification data directly from your own enterprise systems, turning the information you already hold into a powerful, contextual authenticator.

Questions can be auto-generated from AD attributes, HR records, or any connected database — so users never need to pre-enrol for knowledge-based questions. The answer is already in your system.

See it in action →
Active Directory / Entra ID
Employee ID, department, manager, last logon, phone — all usable as dynamic verification questions.
Human Resources Systems
Date of birth, cost centre, employment start date, payroll number — pulled directly to authenticate without enrolment.
Finance & ERP Systems
SAP cost objects, Oracle account references, or any SQL-accessible business data — verified at reset time.
Enterprise Data Sources
Any SQL database, REST API, or custom connector. If you can query it, MyPass can verify against it.

Authentication Methods

Every method. Any combination.

Configure any authentication method — alone or stacked — per user group. Require two factors for remote resets, three for admin accounts. It's your policy, enforced precisely.

Push Notification
Microsoft / Google / Okta Authenticator
SMS & Email OTP
One-time passcode delivery
TOTP (RFC 6238)
Time-based authenticator apps
Smart Card
Certificate-based hardware auth
RSA SecurID
Hardware & software tokens
Duo Security
Via API integration
Okta
Via API integration
RADIUS
Any RADIUS-compatible solution
Manager Approval
Manager or colleague workflow
Corporate Data Q&A
From AD / HR / Finance / custom DB
Helpdesk PIN
Agent-issued one-time PIN
Temporary Access Pass
Time-limited bypass with audit
Directory Password
Native passwords e.g. AD/Entra ID
Code Cards
MFA pin cards for public channels
Bring Your Questions
Choose your own questions and answers
Preference Q&A
Library of questions in any language

Real-World Scenarios

The platform that fits to your business.
Not the other way around.

MyPass isn't configured once for everyone. Each user group gets the exact process that fits their context, their device availability, and their access risk.

Education — Grade 1
A 6-year-old without a phone or complex password.
Simplified knowledge-based verification with teacher-supervised recovery flows. Self-service is possible even for the youngest users — no IT call, no classroom disruption.
Manufacturing — Plant Floor
Shared terminal, no personal device, 6am shift start.
Code cards for shared-terminal environments. No personal phone required — production doesn't stop waiting for a helpdesk response.
Enterprise IT — Privileged Account
A sysadmin locked out of a RACF or SAP admin credential.
Elevated verification: multi-factor + manager approval + IP restriction + mandatory audit log. Admin recovery is secure, governed, and never done via a casual helpdesk call.
Hospitality — Restaurant POS
Shared POS login, rotating staff, no downtime tolerance.
Manager-authorised reset flows for shared accounts. One locked account doesn't shut down the till — reset in under 2 minutes without calling IT.
Remote & Hybrid — WFH
Locked out before Windows login, no VPN, no office access.
Remote password cache reset updates local Windows credentials via the Windows Client. Pre-login reset from any internet-connected device — no IT involvement, no VPN required.
Healthcare — Clinical Staff
Clinician loses MFA device mid-shift. Can't wait 24 hours.
MFA reconfiguration flow — users can re-register a lost authenticator through an alternate secure verification path. Critical access restored in minutes, not hours.

Platform Capabilities

Everything beyond
the basic reset

  • Multi-system reset in one portal — AD, Entra ID, SAP, Oracle, IBM z/OS, iSeries, Google Workspace — one action, all synced
  • Breach password prevention — Blocks passwords appearing in HaveIBeenPwned and custom breach lists at point of creation
  • Pre-login Windows reset — Reset before the Windows login screen from any device, with offline cache update for WFH
  • 55+ alert triggers — Quality of life and security notification to enhance your security awareness and compliance
  • FIPS 140-2 aligned — 256-bit AES encryption, PBKDF hashing, TLS 1.2 mandatory for all communications
  • BitLocker self-service — Recovery key retrieval from Entra ID or on-premise AD without helpdesk involvement
  • 30+ languages — Per-group language configuration including Afrikaans, Zulu, Arabic, French, Portuguese, Spanish
  • ITSM ticket automation — ServiceNow, BMC Remedy, Ivanti, ManageEngine — auto-create, update, and close tickets on every reset
  • Full audit trail — Every reset attempt, every authentication step, every outcome — logged, timestamped, reportable
Security posture — SSPR
FIPS 140-2 compliant encryption
TLS 1.3 in transit
AES-256 at rest
HaveIBeenPwned breach detection
Full audit trail & SIEM export
FIPS 140-2 Cyber Essentials Plus GDPR Aligned POPIA Aligned ISO 27001 Principles 256-bit AES TLS 1.2

Supported Systems

Works with what you already run

Directory & Identity

AD, Entra ID & LDAP

Full support for on-premise AD (multi-forest), Azure Entra ID, and generic LDAP directories. Policy enforcement, account unlock, and notification triggers included.

ERP

SAP & Oracle

Reset SAP (ECC, S/4HANA, NetWeaver, HANA) and Oracle (E-Business Suite, Database) credentials directly. No custom ABAP development required.

Mainframe

IBM z/OS & iSeries

Native IBM mainframe support. RACF and iSeries (AS/400) passwords managed through the same self-service portal — no separate tooling required.

Cloud & Productivity

Microsoft 365 & Google Workspace

Synchronise on-premise resets to cloud accounts automatically. One reset in MyPass propagates everywhere in real time.

Implementation

Fast to deploy. Faster to see results.

1

Demo and Signup

We provide a personalized demonstration of MyPass Cloud, answer any questions and guide you through the signup process.

2

Gateway Deployment

Install the MyPass Gateway on-premise to bridge internal systems. Typically 1–2 weeks for AD-only environments.

3

System & Data Integration

Connect SAP, Oracle, IBM, HR systems, or custom data sources. Complex environments typically complete in 1–3 months.

4

Go Live & Adoption

Roll out with built-in communication templates and forced-enrolment options. Target 90%+ adoption within the first quarter.

FAQ

Common questions

You define LoA tiers per user group in AD or Entra ID. A standard employee reset might require SMS + one knowledge-based answer. An admin account reset requires Smart Card + manager approval + a verified data attribute from HR. Each tier is independently configured and enforced automatically based on the account requesting the reset.
You can provide MyPass with access to your enterprise data sources — AD, HR systems, ERP, or any SQL/API-accessible database — to generate verification questions specific to each user. For example: "What is your employee number?", "What is your department cost centre?", or "What date did you join?" These answers exist in your systems already. No user enrolment needed for knowledge-based questions.
Yes. MyPass has a custom connector framework, you can integrate virtually any verification source. If your organisation has a proprietary identity store, or a biometric system, MyPass can invoke it as part of the reset process. Speak to our team about custom integration options.
Yes. MyPass supports remote password resets for work-from-home users. If you require local Windows Password Cache updates this can be provided through simple VPN integration with the MyPass Windows Client.
MyPass can integrate with HaveIBeenPwned and custom breach lists to block any password that has appeared in known data breaches. Checks happen at the point of reset — if the chosen password is compromised, the user is rejected and prompted to choose again. You can also maintain your own prohibited password dictionary.
Yes. MyPass supports an effectively unlimited number of Active Directory forests, and fully supports hybrid Microsoft environments — self-service resets work seamlessly across on-premise Active Directory and Entra ID (formerly Azure AD), including SAML-based SSO integrations.
Self-service MFA reset is supported for Microsoft, Google, Okta, Duo Security, TOTP (RFC 6238), RSA, Radius, and SmartCard providers — through the self-service portal or via helpdesk-assisted IVM. A user who loses access to their second factor can re-enrol without a helpdesk ticket.
Yes. BitLocker self-service key recovery lets a verified user securely retrieve their recovery key from Entra ID or on-premise Active Directory — no helpdesk intervention required. The same levels of assurance that govern a password reset apply to key recovery.

See Advanced SSPR in action.

Most AD-based PoCs are live within a single week. See the platform in your own environment with custom levels of assurance change your security posture and helpdesk volumes.

Book a Demo Start a PoC