Password Resets Are Eating Your MSP's Time (Automate Them)

Pull up your ticket data from last month. Count the password reset requests. If you're like most MSPs, they represent 20-30% of your total ticket volume. Every one of those tickets follows the same script: verify the user, reset the password, tell them to change it on first login. Five minutes of technician time, repeated dozens of times per week.

Your Level 1 techs are spending a quarter of their day on something that requires zero technical skill. Meanwhile, actual problems — the network issues, the application errors, the security alerts — sit in the queue longer than they should.

This isn't a minor inefficiency. It's a structural problem that gets worse as you add clients. And the solution has been available for years — most MSPs just haven't implemented it because it never feels urgent enough to prioritize.

Why Password Resets Are So Expensive

The five minutes per ticket number is actually optimistic. Here's what really happens:

A user calls or submits a ticket. The ticket sits in the queue for 10-30 minutes before a tech picks it up. The tech calls or messages the user to verify identity. If the user doesn't answer, the tech moves on and comes back later. Once connected, the tech resets the password, walks the user through their first login, and closes the ticket.

The total elapsed time from the user's perspective is often 30-60 minutes. The total tech time, including queue management and context switching, is closer to 8-10 minutes per incident. And during that entire window, the user can't work. They're locked out of their computer, their email, their applications — everything behind that password.

For a client with 50 employees, you might handle 10-15 password resets per month. Across 30 clients, that's 300-450 password reset tickets per month. At 8 minutes of real tech time each, you're burning 40-60 hours monthly on password resets alone. That's a quarter to a third of a full-time technician dedicated entirely to the lowest-value work in your stack.

Self-Service Password Reset Done Right

Identity verification that's actually secure. The user proves who they are through MFA — a code sent to their registered phone number, a push notification to their authenticator app, or answers to security questions set during onboarding. This is actually more secure than a tech resetting a password after a phone call, because social engineering a help desk is disturbingly easy.

Think about your current verification process. A caller says "Hi, this is Sarah from Acme Corp, I need a password reset." Your tech asks for... what? Their email address? Their employee ID? Information that's available on LinkedIn or a company directory? A properly configured self-service system requires possession of a registered device, which is a much higher bar than knowledge of publicly available information.

Immediate resolution, any time of day. The user resets their own password at 7 AM before your help desk opens, or at 9 PM when they're working late. No waiting. No ticket. No frustration. They're back to work in two minutes instead of sitting idle for 30-60 minutes waiting for a tech.

This is especially critical for clients with employees in multiple time zones or those who work non-standard hours. A West Coast employee locked out at 5 PM their time is calling at 8 PM Eastern — well after your help desk has closed. Without self-service, they're dead in the water until morning.

Audit trail that satisfies compliance. Every self-service reset is logged with the same detail as a tech-initiated reset. Who requested it, when, what verification method was used, what IP address the request came from. Your compliance reporting doesn't skip a beat. In fact, it gets better because the log is generated automatically instead of depending on a tech remembering to document the interaction.

Password policy enforcement. The self-service tool enforces your password requirements in real time. Minimum length, complexity, no reuse of previous passwords — all checked before the new password is accepted. No more users choosing "Password1" because the tech on the phone didn't enforce the policy.

Implementation: What It Takes

Enrollment is the critical step. Self-service only works if users are enrolled — meaning they've registered their verification methods (phone number, authenticator app, security questions) before they need to use the system. The worst time to enroll someone is when they're locked out.

Build enrollment into your client onboarding process. When you set up a new user, part of the setup includes registering for self-service password reset. For existing users, run an enrollment campaign: send instructions, set a deadline, and follow up with anyone who hasn't completed it.

Integration with Active Directory and cloud identity. The self-service tool needs to talk to wherever passwords live — typically Active Directory, Azure AD / Entra ID, or Google Workspace. Most commercial self-service tools support all of these. The integration is usually straightforward but needs to be tested thoroughly.

User communication matters more than you think. Don't just turn it on and expect users to figure it out. Send a clear email: "Starting [date], you can reset your own password instantly using this link. Here's a 2-minute video showing how." Include the link in a bookmark pushed to their browser. Put it on the company intranet. Make it impossible to miss.

Fallback for edge cases. Some resets can't be self-service. A user who lost their phone and can't receive the verification code still needs to call your help desk. Make sure your techs know the process for handling these exceptions, and make sure the self-service portal clearly tells users what to do if they can't complete the process.

Common Objections (And Why They're Wrong)

"Our clients aren't tech-savvy enough." If they can unlock their iPhone with a fingerprint or enter a code from a text message, they can handle self-service password reset. Modern tools walk users through it step by step with clear language and visual guides. The interfaces are designed for non-technical people, not IT administrators.

We've seen 70-year-old partners at law firms use self-service password reset without issues. The barrier isn't technical ability — it's fear of the unfamiliar. Good communication and a simple interface solve that.

"We'll lose ticket volume and it'll look like we're doing less." This is the most dangerous objection because it reveals a fundamental misunderstanding of value. If your business model depends on doing high volumes of low-value work, you have a business model problem, not a technology problem.

Shift the narrative. You're not doing fewer things — you're doing more valuable things. Replace password reset volume with proactive security reviews, optimization projects, and advisory services that justify higher rates. A client who sees you preventing problems is worth more than a client who sees you resetting passwords.

"What about security?" Self-service with MFA is demonstrably more secure than a technician verifying identity over the phone. You're reducing a social engineering attack vector, not creating one. Document this for your clients. Many will appreciate that you're actually improving their security posture while also improving convenience.

"The tools are too expensive." Most self-service password reset solutions cost $1-3 per user per month. Compare that to the fully loaded cost of technician time handling resets manually. The ROI calculation isn't close.

The Math That Should Convince You

Let's be conservative with the numbers:

50 password reset tickets per week × 8 minutes of real tech time each = 6.7 hours of technician time per week. That's 28+ hours per month or roughly 340 hours per year. At a blended technician cost of $35/hour (including benefits and overhead), that's nearly $12,000 per year in labor for work that adds zero value to your clients or your business.

Now factor in the hidden costs: user downtime while waiting for resets, after-hours escalations that interrupt on-call staff, and the opportunity cost of techs doing resets instead of project work billed at higher rates.

Most self-service password reset tools for an MSP managing 500 users cost $500-1,500/month depending on the platform. Annual cost: $6,000-$18,000. For the midrange option, you're breaking even on direct labor savings alone and coming out ahead when you factor in reduced user downtime and freed-up tech capacity.

What to Look for in a Tool

Multi-directory support. You manage multiple client environments. The tool needs to handle multiple Active Directory domains, Azure AD tenants, and Google Workspace instances from a single management console.

Customizable verification policies. Different clients may have different security requirements. A healthcare client might need two verification factors while a small retailer needs one. The tool should let you set policies per client.

Reporting and analytics. You want to know how many resets are happening via self-service vs. help desk, which clients have low enrollment rates, and where the remaining manual resets are coming from.

White-labeling. The portal should look like it's yours, not like a third-party tool. Your brand, your colors, your logo. Clients should feel like this is part of your service, not something you bolted on.

Start This Week

Pick one client. Ideally one with high password reset volume and tech-comfortable users. Deploy self-service password reset, enroll their users, and measure the results for 30 days. When the numbers prove out — and they will — roll it out across your client base.

The MSPs that grow profitably are the ones that systematically eliminate low-value work from their operations. Password resets are the lowest-hanging fruit in the entire MSP service stack.

Want to get password resets off your techs' plates? Let's talk about your current identity management setup and find the right solution for your client base.