When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to fix their password and make it possible to log in.

Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked out of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described below:

  Option Pros Cons
1

Ask a neighbor: Use someone else's web browser to access self-service password reset.

  • Inexpensive, no client software to deploy.

  • Users may be working alone or at odd hours.
  • No solution for local passwords or mobile users.
  • Wastes time for two users, rather than one.
  • May violate a security policy in some organizations.
2

Hitachi ID Login Assistant: Extends the login screen of Windows systems

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • Works on Windows Terminal Server and Citrix Presentation Manager.

  • Deployment of client software to every PC.
3

Secure kiosk account (SKA): Sign into any PC with a generic ID such as "help" and no password. This launches a kiosk-mode web browser directed to the password reset web page.

  • Simple, inexpensive deployment, with no client software component.
  • Users can reset both local and network passwords.

  • Introduces a "generic" account on the network, which may violate policy, no matter how well it is locked down.
  • One user can trigger an intruder lockout on the "help" account, denying service to other users who require a password reset.
  • Does not help mobile users.
4

Hitachi ID Mobile Access: Deploy a mobile app, combined with a proxy server in the cloud, to allow users to access the password reset system from their smart phone.

  • Secure and convenient.

  • Does not help with passwords cached on the user's PC, which are not affected when the user's domain password is changed without connection to the PC.
5

Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identifier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password.

  • Simple deployment of centralized infrastructure.
  • No client software impact.
  • May leverage an existing IVR system.
  • Helpful for remote users who need assistance connecting to the corporate VPN.

  • New physical infrastructure is usually required.
  • Users generally don't like to "talk to a machine" so adoption rates are lower than with a web portal.
  • Does not help mobile users who forgot their cached domain password.
  • Does not help unlock PINs on smart cards.


Watch a Movie

Self Service Anywhere™


Content:

  • A user forgot his primary Windows login password.
  • The user is away from the office and the corporate AD password is cached locally.
  • The video shows how the user can reset the forgotten password -- from the PC login screen, over WiFi+VPN and get back to work.

Key concepts:

  • Users are increasingly mobile.
  • Mobile users sign into their corporate laptops with cached domain credentials.
  • If a user forgets his Windows password while away from the corporate network, the IT help desk cannot help him, as they cannot access the cached password.
  • Using Self-Service, Anywhere, Password Manager allows mobile users to reset forgotten passwords even while away, enabling them to get back to work before they return to the office.
  • Without this technology, a remote user who forgot his password cannot user his PC until he returns -- a major business interruption.

Locked out Windows user resets own password (no software footprint)


Content:

  • A user has either forgotten his password or triggered an intruder lockout.
  • The user's PC runs any version of Windows.
  • The user wishes to unlock his account without calling the help desk.

Key concepts:

  • Access to SSPR is available using a secure kiosk account.
  • This approach eliminates the need to install any software on the PC.
  • The trade-off is a special domain account, typically called help which every user can sign into but which has minimal security entitlements.

Assisted password reset


Content:

  • The experience of a help desk analyst resetting passwords for a user who has forgotten his password or triggered a lockout.

Key concepts:

  • Help desk staff may be forced to authenticate callers, for example by prompting them with security questions and keying in their answers.
  • Help desk staff may be empowered or required to cause new passwords to be immediately expired.
  • "Behind the scenes," a help desk ticket is normally created to record the service incident.

User unlocks Windows password with self-service telephone call


Content:

  • User locks out Windows login password.
  • User accesses self-service password reset via telephone.
  • User enters his network login ID using touch-tone input.
  • User gives numeric answers to security questions.
  • User selects one of several random password.
  • User signs into Windows with the new password.

Key concepts:

  • Access to self-service password reset despite being locked out of Windows.
  • User interaction via telephone, no client footprint.