Does anyone allow password reset to a personal email address? If so, what is your experience? Any pain points with taking this approach?
95% of our users do not have access to a company email address. We do provide a method of resetting their password internally but they dont have any options externally outside of contacting our Service Desk. We would like to provide password reset to a personal email but would like to get some feedback prior to implementing this change.
We understand your concern, and using user personal email addresses for password resets will work as expected. But I would recommend assuring a certain level of additional security, such as confirmation of reset with the user via a different communication channel, or securing the accounds with MFA, because personal emails bring a certain level of a security risk. Depending on your Security requirements, for example if someone, somehow breaks into a users personal email accout, MFA would add the additional necessary security for these rare cases. I hope this answers your questions, and help you in forming your decision.