Self-Service - Anywhere

Explains how Hitachi ID Password Manager addresses the login problems experienced by mobile users with full disk encryption, cached credentials, smart phones, smart cards and tokens.


Many organizations depend on self-service technologies in general and self-service password reset in particular to lower the cost of IT support by moving problem resolution out of the help desk and into the user community.

Traditional self-service password reset solutions offer a web-based process where a user who has forgotten or locked out his password can identify himself, authenticate with something other than the lost or locked password -- for example, by answering a series of security questions -- and reset or unlock his password.

Since users who forgot their primary Windows password cannot launch a web browser, two additional user interfaces are commonly deployed -- first, a GINA extension DLL (on Windows XP) or a Credential Provider (on Vista or Windows 7) allows users to access self-service from their PC's login screen. Second, an integrated voice response (IVR) system may allow users to reset or unlock their passwords using their telephone.

These solutions have worked well for years, but two important market trends are making them inoperable:

  1. Many organizations are deploying full disk encryption. This means that users may forget or lock out the password used to activate their PC, before an operating system even boots up. Self-service in this case depends on key recovery, not password reset.
  2. Many organizations have an increasingly mobile and telecommuting workforce. Their users sign into their laptops using locally cached passwords. When the help desk resets a remote user's password, the change cannot propagate to the local cache, so the login problem is not resolved. These users have to physically visit an office and attach their PC to the corporate network before their login problem can be resolved.

This document explains how Hitachi ID Password Manager addresses these important problems and enables modern organizations -- who have a mobile and/or remote workforce and who deploy full disk encryption -- can continue to realize the benefits of self-service password-reset, PIN reset and key recovery.

To the best of Hitachi ID Systems' knowledge, no other commercially available password management or identity management software is able to address these issues.

Mobile users warned of password expiry



Business impact
Mobile users are not notified by Windows when their passwords are about to expire. Users who infrequently connect their laptop to the office network, instead checking e-mail with a solution such as Outlook Web Access, suffer regular password expiry and require frequent password resets.

Password Manager sends users e-mails warning of imminent password expiry. Users change passwords using a web browser. An ActiveX control refreshes the password on their laptop.

Fewer login problems that cause a work interruption. Lower IT call volume and support cost.


Reset forgotten, cached password while away from the office



Business impact
Laptop users sometimes change their password before leaving the office and may forget the new password when they need to use it while not attached to the corporate network. Without a technical solution, the IT help desk cannot resolve these users' problem until they return to the office. User laptops are rendered inoperable until they return to the office.

A Password Manager client software component allows users who forgot their primary, cached Windows password and cannot sign into their PC to connect to the Internet over a WiFi hotspot or using an air-card. Users locked out out of their PC login screen can also establish a temporary Internet connection using their home Internet connection or a hotel Ethernet service. Once the user's laptop is on the Internet, Password Manager establishes a temporary VPN connection and launches a kiosk-mode (full screen, locked down) web browser. The user steps through a self-service password reset process and Password Manager uses an ActiveX component to reset the locally cached password to the same new value as was set on the network back at the office.

Forgotten passwords are a major work disruption for mobile users, since they cannot be resolved until the user visits the office. Password Manager allows users to re-enable their laptop in minutes.


Unlock encrypted hard disk



Business impact
Many organizations deploy full disk encryption software to user PCs. This helps prevent data compromise in the event that a laptop is lost or stolen.

Full disk encryption software is often configured to prompt the user to type a password before the OS boots up -- a very secure configuration. This password is often synchronized with the user's AD password.

Unfortunately, when users forget their pre-boot password, the unlock process can be quite tedious, as it requires that the user calls the help desk, authenticate themselves and then exchange cryptographic challenge and response codes with the technician on the phone. These can be frustrating and costly IT support calls.

Most FDE packages include a key recovery process at the PC boot prompt. This normally involves a challenge/response process between the FDE software, the user, an IT support analyst and a key recovery server. Password Manager can front-end this process using an integrated telephony option, so that users can perform key recovery 24x7, from any location, using their telephone and without talking to a human help desk technician.

Key recovery is an essential IT support service for organizations that have deployed FDE. Password Manager lowers the IT support cost of key recovery by moving the process to a self-service model.


Smart card PIN reset



Business impact
Organizations deploy smart cards to strengthen their authentication processes. Users typically sign into their PC by inserting their smart card into a reader and typing a PIN. If users forget their PIN or leave their smart card at home, they cannot sign into their PC. PIN reset is a complex support process since the new PIN has to be physically installed on the user's smart card. This means that IT support may trigger a physical visit to the help desk.

Password Manager allows users to access a self-service web portal from anywhere, including from the locked out login screen of their laptop, even away from the office (even using WiFi, as described earlier). Once a user signs into the self-service portal, Password Manager can download an ActiveX component to the user's web browser, to communicate with the smart card and reset the forgotten PIN. Password Manager can also be used to assign a user a temporary login password (often a very long and random one) to be used in the event that a user left his smart card at home.

While forgotten PINs are infrequent -- PINs are not usually set to expire -- when they do happen, they are extremely disruptive. Assigning temporary passwords is just as important for users who left their smart card at home, which happens quite often.


Low cost multi-factor authentication using mobile phones

Password Manager supports low-cost, multi-factor authentication into its own request portal, using a smart phone as a secondary authentication factor.

This solution is implemented using two technologies included with Password Manager:

  1. Managed enrollment, which automatically invites users to:
    1. provide their mobile phone number; and/or
    2. provide their personal e-mail address; and/or
    3. install the Mobile Access app on their phone.
  2. Having enrolled,
    1. If the user connects from the Extranet, start with a CAPTCHA.
    2. Next, prompt for the user's login ID.
    3. Fingerprint the user's browser -- if the indicated user has signed on from the same browser before, this can act as an unobtrusive authentication factor.
    4. If the user connects from a browser not seen before, prompt for another factor, which may be:
      1. If the user had previously enrolled their mobile phone number, send a PIN to the user's phone, via SMS and prompt the user to enter it. Note: an SMS broker is required to do this,         which may cost as much as a few cents per message. (note)

      2. If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
      3. If the user had previously installed Mobile Access on their phone, either use push notification to display a PIN on their phone or display a cryptographic challenge in the login screen as a QR code, which the user scans with the app.
    5. Finally, depending on whether the user remembers his password, prompt the user to enter it or answer a series of security questions.