Self-service Password Reset Tech Brief

7/31/2019 Self-service Password Reset Tech Brief

1/13

PistolStar, Inc. dba PortalGuardPO Box 1226Amherst, NH 03031 USA

Phone: 603.547.1200Fax: 617.674.2727E-mail: [email protected]: www.portalguard.com

2012, PistolStar, Inc. dba PortalGuard All Rights Reserved.

Centralized Self-service Password Reset:

From the Web and Windows Desktop

v.3.2-007

Self-service Password Reset Layer


2/13

2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 1

Tech Brief Centralized Self-service Password Reset

PortalGuard Centralized Self-service Password Reset:From the Web and Windows Desktop

Table of Contents

Summary ................................................................................................. 2

The Basics............................................................................................... 2

PortalGuard Centralized Self-service Password Reset ............................ 2

Features .................................................................................................. 3

Benefits ................................................................................................... 4

How it Works ........................................................................................... 4Enrollment.................................................................................... 4Self-service Password Reset ....................................................... 7

Configuration ........................................................................................... 9

Deployment ........................................................................................... 10

IIS Install................................................................................................ 11

System Requirements ........................................................................... 11

Supporting Videos ................................................................................. 12

Platform Layers ..................................................................................... 12


3/13



Summary

For companies of all sizes, the task of supporting users can prove to be taxing on the ITstaff, especially the Help Desk and Administrators. Most studies show the cost of pass-word resets can range from $25 to $75 per incident and make up around 30 percent or

more of Help Desk calls. This provides ample reason and demand for password reset andrecovery tools which empower the user. By allowing users to self-service their own ac-count and password management needs, organizations can effectively offer 24/7 accessand maintain productivity.

Shopping for a tool such as this can be challenging, so the first step is to understand yourrequirements by documenting your user access scenarios. For example, how will roamingusers change their password remotely or how will a forgotten password be recovered on alaptop with an encrypted hard drive. Along with these requirements determining yourbudget and current Help Desk costs without a solution in place will allow you to forecastyour ROI and further narrow down the vendor selection.

Another point to consider is the evolution of self-service password reset and whether the

vendors you are evaluating are keeping pace. Many tools youll find are not compliant withmost companies current security standards. The problem of forgotten passwords hasbeen around since passwords were first used, but expanding access scenarios and ad-vanced attacks are requiring more advanced solutions. For example, entry point solutionsare now expected to go beyond simple password resets to accept multiple scenarioswhich may include disconnected users, auditing and leveraging devices such as mobilephones.

Of course, true success of a self-service password management solution will be measuredby the users satisfaction and an overall reduction in the frequency of their calls to the HelpDesk for support.

The Basics

Self-service password reset is the process a user initiates to prove their identity with theend goal of resetting their password. Self-service password recovery is similar, but the endgoal is obtaining the current password value without changing it. The user can be authenti-cated using various methods.

Most tools use challenge question and answer as an acceptable means of authenticatingthe user. However, associated security threats including easily guessed answers or infor-mation readily available on their Facebook page raise valid concerns. A secure solutionputs additional precautions in place. For example, not allowing the same answer for eachquestion, requiring a minimum answer length, and requiring a larger subset of questions(e.g. 3 out of 6) to be answered.

For increased security, two-factor authentication can be added to the password reset and/or recovery to ensure only an authorized user is setting the password.

PortalGuard Centralized Self-service Password Reset

PortalGuards self-service password reset is flexible and offers a complete solution whichhas evolved with industry demands. By providing the exact same interface for both Win-dows Desktop and Web-based self-service, the users learning curve is minimized andoverall user adoption is increased.


4/13



The available self-service actions that PortalGuard offers are password reset, passwordrecovery, and account unlock. These actions can also be performed from mobile devicessuch as iPads and smartphones. PortalGuard integrates seamlessly with Microsoft ActiveDirectory, Novell eDirectory, any LDAP-compliant directories and custom SQL user reposi-tories.

PortalGuard also supports users who are offline or disconnected from the network, allow-ing them to perform a password recovery. In this case, the password is divided into mathe-matically-represented shares with each share being AES-256 encrypted by a separatechallenge answer. All shares are then bulk encrypted with AES -256 using a separate keyand stored locally on the users machine. When the user attempts to recover their pass-word, they will be asked to prove their identity by correctly answering a certain number ofchallenge questions. Once decrypted, the user is shown the password in clear text allow-ing them to continue working. For security purposes, if a disconnected user strikes outwhile attempting to authenticate, the encrypted recovery information is deleted from thelocal machine, so the user will be forced to reconnect to the network to perform the recov-ery.

To authenticate the user during an online self-service action, PortalGuard leverages chal-lenge questions and answers and/or two-factor authentication via a one-time passwordsent to a mobile phone or email address. Challenge answers are cryptographically hashedand stored on a central server to support roaming users and prevent the need to re -enrollon multiple machines.

By providing auditing and reporting around user access, an Admin App for the mobilephone, and user verbal authentication through a Help Desk console, PortalGuard is acomprehensive self-service password reset solution.

Features

General: Provides password reset, recovery and account unlock Disconnected user support - including lock-out threshold for increased security Forced user enrollment (optional) Integrates with Active Directory, Novell eDirectory, any LDAP-compliant directories and

custom SQL user repositories Encrypted hard drive support - perform a password recovery thru PortalGuard on an

alternate or mobile device (e.g. Symantec Endpoint Encryption) Supports multiple authentication methods - challenge questions and answers and two-

factor authentication delivered via SMS or Email Email notifications of password resets to both the user and/or admin Lock-out thresholds for incorrect responses to authentication attempts Includes support for mobile browsers

Challenge Questions & Answers:

Centralized - challenge information stored on server

Configurable number of mandatory/optional questions Allows import/pre-population of challenge answers Prevent repeat answers for multiple challenge questions Prevent answers from containing words from the question text Answers can be case sensitive Configurable minimum length for challenge answers

Administrative:


5/13



Help Desk Console - provide interface for Help Desk staff to easily perform account ac-tions

Verbal Authentication - allows Help Desk staff to authenticate a user calling in Administrator Dashboard - logging and reporting of user access activity

Windows Desktop Support (shown below): Supports Windows versions XP, Vista, Windows 7, Microsoft Terminal Services and Re-

mote Desktop Services Self-service directly from Ctrl+Alt+Del/Windows Logon screen - removes need to go to

an alternate machine/kiosk or login with a guest account, maintained on each machine

Benefits

Increased Usability - users are now empowered to self-service their own needs andmaintain productivity

Increased Security - provides two-factor authentication Centralized Solution - same user interface for both the web and Windows desktop

No Kiosks-

perform all self-

service actions directly from the users machine

Reduced Costs - alleviate password-related Help Desk calls and demands on IT staff Configurable - to the user, group or application levels Seamless Integration - use sidecar mode to retrofit existing application login screens

with the PortalGuard functionality, maintaining the current look and feel you have today

How It Works

The following steps show the enrollment and process of resetting a password using Portal-Guards self-service functionality. The screenshots provided are showing the process be-ing completed from a web browser. A user can also complete the process from the Win-dows desktop using the same steps and identical interface.

Enrollment

Once self-service password reset is made available, the user will be prompted to enrolltheir challenge questions and answers. PortalGuard provides flexibility around this processby allowing you to configure whether the enrollment will be forced or able to be postponedx number of times by the user. This increases the usability for users, giving them optionsaround a process some may find obstructive. NOTE: If other authencaon methods are enforced, such as two -factor authencaon, then those

enrollment acons will also be displayed, as congured by the admin.

Windows XP Desktop SupportWindows 7 Desktop Support


6/13



Enrollment ProcessNOTE: The screenshots below illustrate the use of PortalGuards sidecar functionality. Itallows rapid integration of PortalGuards self-service features into existing websites or userprocesses.

Step 1: The user attempts to login to a companys existing portal as usual.

Step 2: In this case, the user has not yet enrolled their challenge information so Portal-Guard automatically displays the enrollment screen in sidecar mode. This dialog showsthat the administrator has configured the PortalGuard policy to allow the option of skipping

enrollment temporarily. Doing so will close the PortalGuard dialog and continue the origi-nal login process. The user can enroll now by clicking Continue.


7/13



Step 3: The user is prompted to provide answers to the challenge questions. The numberof both mandatory and optional questions the user is required to answer is configurable.PortalGuard also increases security by helping the user perform best practices when sup-plying answers, such as not repeating answers or avoiding using words which are includedin the question text.

Throughout the enrollment process the user is provided with helpful warning notices, suchas the number of answers remaining, to ease the frustrations some may feel during thisprocess.

Step 4: The process is complete and the user is now enrolled. Clicking the link shown willclose the PortalGuard dialog and continue the original login process.


8/13



Self-service Password Reset Process

Step 1: The user attempts to login to a companys existing portal but has forgotten theirpassword. The user then clicks the Forgot your password? link.

Step 2: The user selects from Recovery Actions Available which self-service action theywould like to perform. The user selects the Reset Forgotten Password radio button andclicks Continue.

NOTE: The dialog shows the most common actions, an account unlock and password re-set, but password recovery is also available.


9/13



Step 3: The user is then prompted to provide their enrolled answers to the enrolled chal-lenge questions. PortalGuard provides users with helpful warning messages throughoutthis process. Once the user has supplied the required number of answers they clickContinue.

Step 4: The users identity has been verified and they are able to set a new password.Added usability and security features such as the Show Password checkbox and virtualkeyboard can be easily enabled or disabled.


10/13



Configuration

NOTE: All the following settings are policy specific, so you can have different values fordifferent users/group/hierarchies.

Configurable through the PortalGuard Configuration Utility:

Main

Self-service options available to users Authentication types available for each self-service action

Authentication Types

Challenge Questions and Answers Enrollment - optional, required, disabled Recovery lockout limit Answer complexity including minimum length, case sensitivity, prevent

answer repetition and prevent question words as answers Number of optional questions Number of mandatory questions


11/13



Mobile Phone Enrollment - optional, required, disabled Phone number format Delivery format

Email Enrollment - optional, required, disabled Domain blacklist Email display Email format including From, Subject and Body fields

Notifications Type of self-service including account unlock, password reset and re-

covery

Deployment

Implementation of the PortalGuard platform is seamless and requires no changes to ActiveDirectory/LDAP schema. A server-side software installation is required on at least one IISserver on the network. Additional client-side software is required for performing self-service from the Windows logon screen.


12/13



IIS Installation

A MSI is used to install PortalGuard on IIS 6 or 7.x. If installing PortalGuard on IIS 7.x/Windows Server 2008, make sure to have installed the following feature roles prior tolaunching the MSI:

1. All the Web Server Management Tools role services2. All the Application Development role services3. All IIS 6 Management Compatibility role services

The MSI is a wizard-based install which will quickly guide you through the installation.

System Requirements

This version of PortalGuard supports direct access and authentication to cloud/web-basedapplications, only.

PortalGuard can be installed directly on the following web servers:

IBM WebSphere/WebSphere Portal v5.1 or higher

Microsoft IIS 6.0 or higher

Microsoft Windows SharePoint Services 3.0 or higher

Microsoft Office SharePoint Server 2007 or later

The PortalGuard Web server also has the following requirements on Windows operatingsystems:

.NET 2.0 framework or later must be installed

(64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64)

PortalGuard is fully supported for installation on virtual machines. Furthermore, Portal-Guard can currently be installed on the following platforms:

Microsoft Windows Server 2000

Microsoft Windows Server 2003 (32 or 64-bit)

Microsoft Windows Server 2008 (32 or 64-bit)

Microsoft Windows Server 2008 R2

NOTE: When run in "Sidecar" mode, PortalGuard can provide its functionality on anywebserver that uses a HTML login page.

If you have a platform not listed here, please contact us at [email protected] to see

if we have recently added support for your platform.


13/13



Supporting VideosPlease view the following videos to watch a demo of PortalGuards self-service offerings:

Self-service Password Reset, Recovery & Account Unlock (Browser-based)Self-service Password Reset, Recovery & Account Unlock (Windows 7 Desktop)

Disconnected Password RecoveryHelp Desk Console

Platform Layers

Beyond self-service password reset, PortalGuard is a flexible authentication platform withmultiple layers of available functionality to help you achieve your authentication goals:

Contextual Authentication

Tokenless Two-factor Authentication Real-time Reports / Alerts Knowledge-based Password Management Single Sign-on

###
http://www.portalguard.com/videos/PG_SelfService_2012.wmvhttp://www.portalguard.com/videos/PG_SelfService_2012.wmvhttp://www.portalguard.com/videos/PG_SelfService_2012.wmvhttp://www.portalguard.com/videos/PG_SelfService_2012.wmvhttp://www.portalguard.com/videos/PG_SelfService_2012.wmvhttp://www.portalguard.com/videos/PG_SelfService_2012.wmvhttp://www.portalguard.com/pdfwrap/Win7_PG.htmhttp://www.portalguard.com/pdfwrap/Win7_PG.htmhttp://www.portalguard.com/pdfwrap/Win7_PG.htmhttp://www.portalguard.com/pdfwrap/Win7_PG.htmhttp://www.portalguard.com/videos/Offline_Video.wmvhttp://www.portalguard.com/videos/Offline_Video.wmvhttp://www.portalguard.com/videos/Help_Desk_Video.wmvhttp://www.portalguard.com/videos/Help_Desk_Video.wmvhttp://www.portalguard.com/videos/Help_Desk_Video.wmvhttp://www.portalguard.com/videos/Offline_Video.wmvhttp://www.portalguard.com/pdfwrap/Win7_PG.htmhttp://www.portalguard.com/videos/PG_SelfService_2012.wmv

Self-service Password Reset Tech Brief

Documents

Transcript of Self-service Password Reset Tech Brief