Technology Helping Locked Out Users
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+

Helping Locked Out Users

(1) When users forget or lock out their primary password, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to fix their password and make it possible to log in.

Hitachi ID Password Manager includes a variety of mechanisms to address the problem of locked out users. Each of these approaches has its own strengths and weaknesses, as described below:

  Option Pros Cons
  Do nothing: users continue to call the help desk.

  • Inexpensive, nothing to deploy.

  • The help desk continues to field a high password reset call volume.
  • No solution for local passwords or mobile users.
  Ask a neighbor: Use someone else's web browser to access self-service password reset.

  • Inexpensive, no client software to deploy.

  • Users may be working alone or at odd hours.
  • No solution for local passwords or mobile users.
  • Wastes time for two users, rather than one.
  • May violate a security policy in some organizations.
  Secure kiosk account (SKA): Sign into any PC with a generic ID such as "help" and no password. This launches a kiosk-mode web browser directed to the password reset web page.

  • Simple, inexpensive deployment, with no client software component.
  • Users can reset both local and network passwords.

  • Introduces a "generic" account on the network, which may violate policy, no matter how well it is locked down.
  • One user can trigger a lockout on the "help" account, denying service to other users who require a password reset.
  • Does not help mobile users.
  Personalized SKA: Same as the domain-wide SKA above, but the universal "help" account is replaced with one personal account per user. For example, each user's "help" account could have their employee number for a login ID and a combination of their SSN and date of birth for a password.

  • Eliminates the "guest" account on the domain, which does not have a password.

  • Requires creation of thousands of additional domain accounts.
  • Requires ongoing creation and deletion of domain accounts.
  • These new accounts are special -- their passwords do not expire and would likely not meet strength rules.
  Local SKA: Same as the domain-wide SKA above, but the "help" account is created on each computer, rather than on the domain.

  • Eliminates the "guest" account on the domain.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).

  • Requires a small footprint on each computer (the local "help" account.)
  Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identifier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password.

  • Simple deployment of centralized infrastructure.
  • No client software impact.
  • May leverage an existing IVR system.
  • Helpful for remote users who need assistance connecting to the corporate VPN.

  • New physical infrastructure is usually required.
  • Users generally don't like to "talk to a machine" so adoption rates are lower than with a web portal.
  • Does not help mobile users who forgot their cached domain password.
  • Does not help unlock PINs on smart cards.
  Physical kiosks: Deploy physical Intranet kiosks at each office location.

  • Eliminates generic or guest accounts.
  • May be used by multiple applications that are suitable for physically-present but unauthenticated users (e.g., phone directory lookup, badge management, etc.).

  • Costly to deploy -- hardware at many locations.
  • Does not help mobile users who forgot their cached domain password.
  • Users may prefer to call the help desk, rather than walking over to a physical kiosk.
  GINA DLL: Windows XP: Install a GINA DLL on user computers, which adds a "reset my password" button to the login screen.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • Works on Windows Terminal Server and Citrix Presentation Manager.

  • Requires intrusive software to be installed on every computer.
  • Broken installation or out-of-order un-installation will render the computer inoperable (i.e., "brick the PC").
  GINA Extension Service: Similar to the GINA DLL, but uses a sophisticated service infrastructure to modify the UI of the native GINA, rather than installing a GINA DLL.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • More robust, fault-tolerant installation process than the GINA DLL.

  • Requires software to be installed on every computer.
  • Does not work on Citrix Presentation Server or Windows Terminal Server -- only works on personal computers.
  Credential Provider: The equivalent of a GINA DLL, but for the login infrastructure on Windows Vista/7/8.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • Works on Windows Terminal Server and Citrix Presentation Manager.
  • More robust infrastructure than GINA DLLs on Windows XP.

  • Deployment of intrusive software to every workstation.

 

No other product or vendor supports as many options for assisting locked out users.

Watch a Movie

Locked out Windows 7 user resets own password


Play movie

Content:

  • A user has either forgotten his password or triggered an intruder lockout.
  • The user's PC runs Windows 7.
  • The user wishes to unlock his account without calling the help desk.

Key concepts:

  • Access to SSPR is available as a credential provider (CP).
  • The CP can be installed on Windows Vista and Windows 7 workstations.

Locked out Windows XP user resets own password


Play movie

Content:

  • A user has either forgotten his password or triggered an intruder lockout.
  • The user's PC runs Windows XP.
  • The user wishes to unlock his account without calling the help desk.

Key concepts:

  • Access to SSPR is available as service installed on Windows XP workstations.
  • The service is not a GINA DLL. Instead, it adds UI elements to the native GINA on the fly.
  • This architecture is less risky than installing a DLL into the GINA DLL chain.

Locked out Windows user resets own password (no software footprint)


Play movie

Content:

  • A user has either forgotten his password or triggered an intruder lockout.
  • The user's PC runs any version of Windows.
  • The user wishes to unlock his account without calling the help desk.

Key concepts:

  • Access to SSPR is available using a secure kiosk account.
  • This approach eliminates the need to install any software on the PC.
  • The trade-off is a special domain account, typically called help which every user can sign into but which has minimal security entitlements.

Help locked out user with domain secure kiosk account


Play movie

Content:

  • User locks out Windows login password.
  • User signs in with a domain-level secure kiosk account.
  • A kiosk-mode web browser is launched.
  • User enters his network login ID.
  • User answers security questions.
  • User chooses a new password.
  • Web browser is closed.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset from a locked out PC.
  • No client software is installed on the PC.

Corporate user unlocks Windows XP password with GINA service


Play movie

Content:

  • User locks out Windows login password.
  • User presses a "help" button to access self-service.
  • A kiosk-mode web browser is launched.
  • User enters his network login ID.
  • User answers security questions.
  • User chooses a new password.
  • Web browser is closed.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset from a locked out Windows XP PC.
  • GINA DLL is not altered.
  • The native GINA UI is extended to include an unlock button, at runtime.

Corporate user unlocks Windows 7 password with a Credential Provider


Play movie

Content:

  • User locks out Windows 7 login password.
  • User presses a "help" button to access self-service.
  • A kiosk-mode web browser is launched.
  • User enters his network login ID.
  • User answers security questions.
  • User chooses a new password.
  • Web browser is closed.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset from a locked out Windows 7 PC.
  • The UI extension is via the Credential Provider infrastructure.
  • The native login screen is extended to include an unlock button.

User unlocks Windows password via telephone


Play movie

Content:

  • User locks out Windows login password.
  • User accesses self-service password reset via telephone.
  • User enters his network login ID using touch-tone input.
  • User gives numeric answers to security questions.
  • User selects one of several random password.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset despite being locked out of Windows.
  • User interaction via telephone, no client footprint.