Deciding which features to implement
Use the quick framework and the matrix below to select features. Match feature priority to your business goals, user population, and compliance needs.
Primary goal | Recommended features |
|---|---|
Reduce help desk volume from password issues | Self-service password reset, account unlock, Local Reset Extension, Login Assistant |
Remediate a suspected compromise or rotate large sets of credentials | Mass password reset (v12,9+), credential vault (Bravura Safe) integration, forced policy changes |
Support remote/offline users | Self Service Anywhere (offline reset support), Login Assistant, Phone Password Manager, Local Reset Extension |
Enforce consistent password rules across systems | Global password policy or target system group policy, transparent password synchronization |
Centralise secrets and support privileged accounts | Credential vault (Bravura Safe), Bravura Privilege integrations |
The tables below list features and when they are typically required. Assess which features are required, optional, or situational.
Core self-service capabilities
Feature | Description | When to use | Priority |
|---|---|---|---|
Self-Service Password Reset (SSPR) | Web or login-screen reset using configurable verification | All organisations | Required |
Account unlock | Self-service and help-desk unlock of accounts | Frequent AD/LDAP lockouts | Required |
Login Extensions | Login-screen recovery (Windows Credential Provider, PAM hooks) | Distributed/hybrid workforces, kiosks, VDI | Required (distributed) |
Self Service Anywhere | Reset when device is off-network; integrates with LRE and Login Assistant | Laptops / field devices | Situational |
Credential and password management
Feature | Description | When to use | Priority |
|---|---|---|---|
Credential Vault (Bravura Safe) | Central storage for rotated credentials and secrets | Shared accounts, PAM, audit requirements | Optional / Recommended for PAM |
Password Synchronization | Propagate password updates to multiple target accounts | Users with accounts on multiple systems | Optional |
Global password policy or target system group policy | Enforce complexity, history, and reuse rules centrally | All regulated organisations | Required |
Administrative and high-volume operations
Feature | Description | When needed | Priority |
|---|---|---|---|
Mass Password Reset (MPR) (v12.9+) | Bulk automated reset and vaulting for incident response or policy changes | Security incidents, migrations, offboarding of shared accounts | Situational and critical when needed |
Assisted Password Reset | Help-desk console for caller authentication & reset | Where SSPR coverage is incomplete | Optional |
Expiry Notifications | Email/SMS reminders for upcoming password expiry | Reduce unexpected lockouts for remote users | Optional |
Recommended deployment patterns
Standard: SSPR, Account Unlock, Login Extensions, MFA, AD/LDAP integration.
Security-focused: Standard + Credential Vault, stronger MFA, detailed audit logging, policy enforcement.
Distributed workforce: Login Extensions, Offline Reset, Local Reset Extension, Phone Password Manager.
Incident response: Mass Password Reset, immediate vaulting, forced policy changes, revoke cached credentials.
Questions to guide strategy
Which identity stores must be integrated (AD, Entra ID, LDAP, HRIS)?
How many users are remote, offline, or mobile?
What is the required authentication strength for resets?
Is Mass Password Reset required for incident response or migrations?
What are audit and retention requirements for reset events?