You think you have it bad with your internal users forgetting their Active Directory passwords? Harumph. That’s nothing compared to your legions of external users who only log in occasionally. You are going to get a ton of calls if you don’t have a selfservice password reset solution for them.
The issue? We are seeing more and more customers authenticating against Active Directory for their external users. Seems simple enough, make a new forest with customers as users then synch those users as contacts in your internal forest. You end up accomplishing two goals with one forest (great authentication mechanism and easy way to keep customer contacts up to date).
Most Active Directory self service password reset solutions rely heavily on the login screen “forgot my password” link because most internal users are using a company computer. You simply apply a GPO that edits the GINA/login screen with the password reset software and, boom, self service password reset without a help desk call.
Unfortunately, most of your customers aren’t going to let you apply a GPO to their computer, as selfish as that may seem. So you need to ensure that the password reset solution that you choose has an easy way to access the question authentication from a web form. One like GroupID Password Center, for example.
Having the ability to access multiple identity stores is key as well. You have gone to great trouble to separate your external from internal users, make sure they have separate password/question policies. Your goal is to have fewer help desk calls not more.
This is becoming more and more of a critical requirement, make sure you have your external customers as cared for as internal.