Hitachi ID Systems, Inc.

Hitachi

Technology Helping locked out users
certification

Product Sites

Common Criteria Certification

Common
Criteria
Certification

info security products guide 2012

Helping locked out users

(1) When users forget or lock out their primary password, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to fix their password and make it possible to log in.

Hitachi ID Password Manager (formerly P-Synch) includes a variety of mechanisms to address the problem of locked out users. Each of these approaches has its own strengths and weaknesses, as described below:

  Option Pros Cons
  Do nothing: users continue to call the help desk.

  • Inexpensive, nothing to deploy.

  • The help desk continues to field a high password reset call volume.
  • No solution for local passwords or mobile users.
  Ask a neighbor: Use someone else's web browser to access self-service password reset.

  • Inexpensive, no client software to deploy.

  • Users may be working alone or at odd hours.
  • No solution for local passwords or mobile users.
  • Wastes time for two users, rather than one.
  • May violate a security policy in some organizations.
  Secure kiosk account (SKA): Sign into any PC with a generic ID such as "help" and no password. This launches a kiosk-mode web browser directed to the password reset web page.

  • Simple, inexpensive deployment, with no client software component.
  • Users can reset both local and network passwords.

  • Introduces a "generic" account on the network, which may violate policy, no matter how well it is locked down.
  • One user can trigger a lockout on the "help" account, denying service to other users who require a password reset.
  • Does not help mobile users.
  Personalized SKA: Same as the domain-wide SKA above, but the universal "help" account is replaced with one personal account per user. For example, each user's "help" account could have their employee number for a login ID and a combination of their SSN and date of birth for a password.

  • Eliminates the "guest" account on the domain, which does not have a password.

  • Requires creation of thousands of additional domain accounts.
  • Requires ongoing creation and deletion of domain accounts.
  • These new accounts are special -- their passwords do not expire and would likely not meet strength rules.
  Local SKA: Same as the domain-wide SKA above, but the "help" account is created on each computer, rather than on the domain.

  • Eliminates the "guest" account on the domain.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).

  • Requires a small footprint on each computer (the local "help" account.)
  Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identifier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password.

  • Simple deployment of centralized infrastructure.
  • No client software impact.
  • May leverage an existing IVR system.
  • Helpful for remote users who need assistance connecting to the corporate VPN.

  • New physical infrastructure is usually required.
  • Users generally don't like to "talk to a machine" so adoption rates are lower than with a web portal.
  • Does not help mobile users who forgot their cached domain password.
  • Does not help unlock PINs on smart cards.
  Physical kiosks: Deploy physical Intranet kiosks at each office location.

  • Eliminates generic or guest accounts.
  • May be used by multiple applications that are suitable for physically-present but unauthenticated users (e.g., phone directory lookup, badge management, etc.).

  • Costly to deploy -- hardware at many locations.
  • Does not help mobile users who forgot their cached domain password.
  • Users may prefer to call the help desk, rather than walking over to a physical kiosk.
  GINA DLL: Windows XP: Install a GINA DLL on user computers, which adds a "reset my password" button to the login screen.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • Works on Windows Terminal Server and Citrix Presentation Manager.

  • Requires intrusive software to be installed on every computer.
  • Broken installation or out-of-order un-installation will render the computer inoperable (i.e., "brick the PC").
  GINA Extension Service: Similar to the GINA DLL, but uses a sophisticated service infrastructure to modify the UI of the native GINA, rather than installing a GINA DLL.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • More robust, fault-tolerant installation process than the GINA DLL.

  • Requires software to be installed on every computer.
  • Does not work on Citrix Presentation Server or Windows Terminal Server -- only works on personal computers.
  Credential Provider: The equivalent of a GINA DLL, but for the login infrastructure on Windows 7 and Windows Vista.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • Works on Windows Terminal Server and Citrix Presentation Manager.
  • More robust infrastructure than GINA DLLs on Windows XP.

  • Deployment of intrusive software to every workstation.

 

No other product or vendor supports as many options for assisting locked out users.