Helping Mobile Users - Hitachi ID Password Manager
Traveling users typically log into their workstations using cached Active Directory passwords. If they forget the cached password, technical support may be expensive, insecure or simply impossible:
- Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC can re-authenticate to the AD domain and cache the user's newly reset password.
- Insecure: alternately, the help desk can give the traveling user the login ID and password of an alternate login ID, which is defined on the user's PC (not a domain account), whose security will henceforth be compromised.
- Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offer an alternate, local user ID.
While the frequency of password reset incidents for traveling users is typically low, the cost per incident is much higher than for network-attached users.
The Hitachi ID Password Manager Solution
When users are off-site and not connected to the corporate network, they can use a telephony solution IVR to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords.
A LSKA, GINA extension service or credential provider are available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. These solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Password Manager with something other than their domain or VPN password. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation (via ActiveX). Password Manager software installed on a user's Windows laptop enables password reset while away from the office, as follows:
- The user's PC is not physically attached to any network -- the user
may be at an airport, coffee shop, etc.
- The user is faced with a login screen to which he does not know
- The user's (forgotten) AD password is cached on the PC, to allow
logins while away from the corporate network.
- If the LSKA is deployed, The user signs into his workstation with
the user name "help" and no password.
- If the GINA extension service or Credential Provider is deployed,
the user presses a button on the Windows login screen with a label
such as "I forgot my password."
- The Password Manager client software service is started and detects (a)
that there is no physical network connection but also (b) the
PC has a wireless network adapter.
- Password Manager scans for available WiFi hot-spots and asks the user
to select one. They are ordered by signal strength, so the user
normally chooses the first one (nearest AP; often public).
- The user's web browser is launched and the user may have to register,
- Once the user's PC is on the Internet, Password Manager will launch a
temporary VPN connection to the corporate network.
- Password Manager will launch a kiosk-mode web browser to the password
reset web portal. Since the browser is in kiosk mode, the user
cannot navigate to any other URL.
- The user will perform a password reset in this web browser session.
This will include self-identification, some form of non-password
authentication (e.g., CAPTCHA + security questions + mobile phone
SMS PIN) and selection of a new password.
- Password Manager will use an ActiveX to re-authenticate the user's PC
to the domain, over the VPN. This has the desirable side-effect
of updating the cached password on the user's PC.
- The user closes the kiosk-mode web browser. This also disconnects
the VPN and terminates the WiFi session.
- The user is able to sign into his PC with his new password, which has been applied both at work and to the local cache.
Please note that the WiFi elements in the above sequence are optional. The user may be at work, or at home with a wired Internet connection, or using an AirCard (cell modem), or in a hotel with a wired connection. All of these alternatives also work essentially as described above.
Watch a Movie
Self Service Anywhere™
Mobile user unlocks Windows XP password with GINA service
Mobile user unlocks Windows 7 password with Credential Provider