Assisted password reset with Hitachi ID Password Manager

Hitachi ID Password Manager (formerly P-Synch) includes an assisted password reset console, which allows IT support staff to help callers without having direct administrative access to target systems:

Help desk analysts sign into Password Manager with a web browser.
Analysts can be authenticated using IDs and passwords internal to Password Manager or use pass-through authentication to an existing system.
For example, help desk analysts may sign into Password Manager using their Active Directory ID and password, with Password Manager validating the membership of each analyst in a designated AD security group and granting appropriate Password Manager privileges based on that group membership.
From the Password Manager web interface, analysts can search for the caller's profile by login ID or full name.
Analysts can be required to authenticate the caller -- for example by keying answers to some of the user's personal questions, which Password Manager can validate against its own back-end database or an external database, directory or web service.
Note that the same, different or overlapping security questions can be used for assisted and self-service authentication processes.
Once both the analyst and caller have been authenticated, analysts can reset the caller's password, lock or unlock the caller's access to Password Manager or update the caller's profile. Assisted password resets may be configured to also expire the new password, requiring the user to change it on the next login.
All transactions -- analyst login, user profile lookup, successful or failed password reset and more may trigger e-mails to the user, to the analyst or to a third party, such as a security officer. The same events can also trigger automatic creation, update or closure of tickets in an incident management system.
Since only a single, simple web interface is used, an assisted password reset is normally completed in 1--2 minutes.
User-filter and account-filter plug-in points are available, making it possible to delegate password reset capabilities to managers, platform administration groups and regional help desks and to ensure that such groups get only appropriate password reset and user profile lookup privileges.
At no point in the process does an analyst require administrative access to the systems where passwords are being reset. Instead, Password Manager uses its own credentials to sign into target systems and these are encrypted in an internal Password Manager database.

Assisted password reset reduces the cost of password support calls and ensures that such calls are uniformly processed in a consistent, secure fashion.

Integrations

After a password reset, or following any of 189 other types of events, Password Manager can create, update and close a trouble ticket in any of the following types of help desk systems:

Axios Assyst.
BMC/Remedy ARS (4, 5, 6, 7).
BMC Service Desk Express (7.0, 7.5, 9.x).
CA Unicenter Help Desk.
Clarify eFrontOffice (8, 12).
FrontRange HEAT (5, 6, 7, 8).
HP Service Desk.
HP Service Manager (any version).
Numara Track-It!
Symantec / Altiris.
... and more

Watch a Movie

Assisted password reset

Play movie

Content:

The experience of a help desk analyst resetting passwords for a user who has forgotten his password or triggered a lockout.

Key concepts:

Help desk staff may be forced to authenticate callers, for example by prompting them with security questions and keying in their answers.
Help desk staff may be empowered or required to cause new passwords to be immediately expired.
"Behind the scenes," a help desk ticket is normally created to record the service incident.