Hitachi ID Password Manager: Password Synchronization and Reset

Overview:

Hitachi ID Password Manager (formerly P-Synch) is the industry's leading password management solution. Password Manager helps organizations manage passwords and other forms of authentication more effectively to reduce IT support costs, increase productivity and enhance corporate security. Password Manager features include password synchronization, self-service reset, token management, biometric enrollment, certificate management and more.

Features:

Password Manager, a component of Hitachi ID Management Suite, is enterprise password management software. It reduces the frequency of help desk calls, improves user productivity and strengthens security with password synchronization, self-service password reset, help desk password reset and simplified administration of other authentication factors, such as hardware tokens and biometric samples. Password Manager includes connectors to manage passwords on over 70 kinds of systems.

Specific Password Manager features include: (1)

Transparent password synchronization
(2)When users change their Windows NT, Active Directory (32-bit, 64-bit), Sun LDAP, IBM LDAP, Oracle Internet Directory, Unix (various), z/OS and iSeries (AS/400). password, the new password is subjected to a global password policy in addition to the native policy. If the password is acceptable, the new password is changed both on the initial system and, automatically, on every other system where the user has a login ID.
Use of an existing, familiar user interface to change passwords eliminates the need for training and guarantees high (100%) adoption rates.
Web-based password synchronization
(3)Users can synchronize some or all of their passwords by using a Password Manager web interface to make routine password changes. The password policy is clearly stated on the screen and enforced immediately. Each system where the user has a login ID is represented by a name and a check box.
Self-service password reset
(4)Users who have forgotten a password or triggered an intruder lockout can sign into Password Manager with another form of authentication to perform self-service password reset. Supported authentication factors include answering personal questions in the form of Q-A (Question-and-Answer), using a hardware token (e.g., SecurID, SafeWord), using a biometric sample and smart cards.
Automated password reset allows locked out users to reset their own passwords, effectively addressing the problem of forgotten passwords. Password Manager creates a secure and efficient process for users to reset their passwords, thus minimizing the help desk call volume and time spent with the help desk resetting the passwords.
Once authenticated, users can reset their own passwords without calling the help desk. Tickets can be automatically created on an incident management system.
Self-service password reset is available from:
- A web browser from either the user's own computer or that of a neighbor
- The login prompt of the user's own workstation
  This is possible with a domain-level SKA (secure kiosk account) that does not require a client software installation, a local SKA (secure kiosk account), or a GINA (Graphical Identification and Authentication library) DLL inserted ahead of the existing network client GINA on user workstations.
- A telephone from which the user dials the help desk ACD (automatic call distribution), and is directed to an IVR (interactive voice response) system that provides a password reset service
  A Password Manager API (application programming interface) allows existing IVR systems to be extended to provide password resets. Hitachi ID Phone Password Manager (formerly ID-Telephony), a turn-key IVR system, is also available, using either numeric QA or biometric voice print verification for caller authentication.
Assisted password reset
(5)Authorized support analysts can sign into a Password Manager web user interface, look up a caller's profile, authenticate the caller by keying in answers to personal questions and reset one or more passwords. A closed ticket can be automatically written to the incident management system.
Support staff do not require any privileges to systems on which Password Manager allows them to reset passwords.
Clear intruder lockout
(6)Users who have triggered an intruder lockout can sign into Password Manager with another authentication factor, such as a hardware token or by answering personal questions, and can then clear the intruder lockout on their own account.
It should be noted that Password Manager differentiates between different types of "locks," and Password Manager only allows users to clear intruder lockouts:
1. Intruder lockouts: are triggered by repeated attempts to sign into a given login account with an incorrect password. They often have a timeout (i.e., automatically cleared after a set interval).
2. Administratively disabled: the login ID was explicitly disabled by a security administrator. Password Manager does not remove such locks.
3. Password expired: the user may sign in, but can only access the password change function of the system or application. Password Manager may set this flag after an assisted password reset (i.e., to force the user to change a temporary password). Password Manager normally clears this flag after self-service password changes.
4. Account expired: the account is in a state equivalent to setting the "administratively disabled" flag, but as a result of the active time period for the account expiring, rather than due to recent administrator intervention.
It should also be noted that not all target system types support all of the above mechanisms, and some target types actually entangle them. For example, "administratively disabled" and "intruder lockout" are represented by the same flag on most mainframe systems.
In cases where the states are entangled on a target system, Password Manager will either not allow users to clear the flag or, where possible, expose a plug-in point where customers can insert business logic to differentiate between different meanings of the same flag.
RSA SecurID Token management
(7)Users with RSA SecurID tokens can use Password Manager for PIN reset or to clear forgotten PINs, to resynchronize their token clock with the RSA Authentication Manager, to enable or disable their token, and to get emergency access pass-codes.
Password policy enforcement
(8)Password Manager normally enforces a uniform, global policy in addition to the various password policies enforced natively on each managed system. This policy applies to all password changes, including those triggered on other systems.
The built-in password policy engine includes over 50 standard rules, plus a regular expression engine and plug-in system, allowing organizations to define new rules. Open-ended password history and dictionary checks are included.
Password change notification / early warning
Password Manager automatically reminds users to change their passwords regularly. This facility pre-empts native password expiration on managed systems and encourages users to synchronize their passwords with a friendly, web-based user interface.
Users are prompted to change passwords either by receiving e-mail, with an embedded URL to the Password Manager server or by responding to a web browser window that is opened during their network login script.

Benefits:

Password Manager eliminates password problems with password synchronization while increasing security with global policy enforcement and password expiration. Password Manager streamlines password problem resolution with self-service and assisted password reset.