Privacy and security have become a high priority for both consumers and companies that use mobile devices that contain personal or highly confidential information and data. In order to secure these devices, passwords are typically required to unlock these devices, granting access to the user. In order to increase security, stronger passwords are required that are longer in length and have higher complexity requirements. As a result, users often forget their passwords and as a result wish to be remotely granted temporary access to their device in order to set a new password.
Some companies have solved this problem by enabling IT (information technology) administrators to remotely clear a password from a device, granting access to the user. While this grants the user access to the device, it does so in an insecure manner, making the device and the data vulnerable during the time period while the password is reset. Another approach has been to pre-set a recovery key on a mobile device that can be provided to the user. However, this approach reduces the security of the device because two passwords are available to grant access to the device. Furthermore, this approach does not provide an extensible way to require the user to provide additional authentication information to ensure the recovery key has not been stolen or hacked that can be driven by the server.
Changing credentials is relatively easy when all user records are stored in a central database, such as an active directory or proprietary user database. However, there is no such database for PIN (personal identification number) codes used on smartphones, some of which might belong to a company that issued the device to a user employee, and some of which may belong directly to the employee. The PIN is usually known only to the user and is set in accordance with requirements from multiple sources. Pushing a new PIN from a management service to a device may not be possible because the actual policy that sets requirements for the PIN may be known to the device but not the server.