Active Directory self-service password reset from Specops
Resetting users’ corporate passwords is a common support case for the IT helpdesk, especially when the requirements are onerous – a new password every month, for example, or requirements for symbols, capital letters and numbers or a minimum of 15 characters.
It’s a nuisance for IT support resources to have to reset passwords when time can be better spent. A frustration for them, but also an annoyance for end users. And it comes with a hefty price tag– at a cost of $70 each time for each password reset, according to Forrester Research. It’s also time-consuming: an average of 20 to 50 per cent of all calls to IT help desk are password resets.
It is important to also mention that helpdesk resources are verifying users with insecure methods ranging from simply relying on recognizing users voices to employee ID or caller ID. Due to this reality, help desk assisted password resets have been exploited by attackers trying to worm their way into corporate networks.
Password security company Specops has a solution to this problem. Its self-service password reset solution, Specops uReset, enables users to reset or change their corporate (Active Directory) password removing the need to bother their IT colleagues.
With a robust multi-factor authentication engine, IT has the ability to pick and choose from over 15 different authentication methods, the ones they want to extend to end-users. Note that the solution supports options that lend themselves to pre-enrolment into the system by leveraging existing Active Directory information. These are an optimal choice when considering user adoption.
Beyond the sheer number of authentication options IT can assign different security weights, represented by stars, to each factor they enable. For example, to verify their identity users will have to satisfy a weight of 2 stars. The user can use one identity service assigned the weight of 2 stars or two identity services each with a weight of 1. This feature provides users with alternatives in the event that one factor fails while maintaining the desired level of security.
The solution also can be accessed from anywhere including the Windows login screen, allowing users to reset their passwords anytime the need should arise.
So how does the password reset system work for users? With Specops, it’s a simple four-step solution.
1. Password reset link. When a user is attempting to login to the corporate network and can’t remember their password, the user just needs to simply click the Password Reset link under the log-in box.
2. Identity authentication. This takes the user to a multifactor authentication (MFA) page where they have to prove that you are who you say you are. The user will be presented with a number of different authentication options (enabled by their IT colleagues when setting up the system).
The Specops platform supports over a dozen different authentication methods, including third-party MFA such as Duo Security, and more methods are added regularly. Support of third-party MFA allows organisations to extend the ROI of the platform by securing additional use cases. Many of the authentication methods can leverage existing Active Directory data, such as cellphone numbers, to pre-enroll users into the system.
3. Reset password. Once the user verifies their identity they are taken to a reset page where they can choose a new password – or type the old password if they have remembered it and simply want to change it.
4.Dynamic password rules display.As users type in the new password, they are aided by a series of password policy rules, such as the required length of the password, the inclusion of numbers, and a rule that certain words (such as “password”) or letter-and-number combinations (“p455w0rd”, for example) cannot be included.
As they type in the new password, any rules it passes are dynamically hidden. If the password fails any of the rules, then the user can easily see which rules they have failed against and adapt the new password accordingly. All this makes it very easy to ensure that users are choosing a secure password that complies with the rules without all the guess work sometimes presented when the rules are displayed after the fact.
Of course, even with a self-service password reset solution in place, users will sometimes still resort to calling the IT helpdesk. Specops uReset offers a helpdesk component that leverages the same flexible multi-factor authentication system when they are verifying whether someone making a password reset request is who they say they are. Helpdesk staff could ask the user to read out a code that has been sent to their mobile phone, or to use a fingerprint app that has been sent to them.
It’s clear that the Specops system has been designed very much with both the end-user and security in mind: it’s simple and intuitive to use but also secures two high risk use cases with multi-factor authentication – self-service password reset and helpdesk assisted password resets.