Previous PDF

swipe to navigate

Users sometimes forget their primary PC login password or trigger an intruder lockout. It is desirable to enable these users to access self-service to resolve their problem, but there is a catch: they cannot sign into their PC so cannot access a conventional web browser or other PC application. How then can they access self-service?

The technical challenge is how to connect users to a self-service mechanism from a pre-login context. The mechanism offered must be evident (or users won't find it), easy to use and secure.

There are three contexts that complicate this problem:

  1. When a user is locked out of the OS login screen; and
  2. When a user is physically off-site; or
  3. When a user is unable to unlock the encrypted drive of his PC, at a pre-boot password prompt.

Solution Alternatives

When users forget their OS login password or trigger an intruder lockout, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to fix their password and make it possible to log in.

Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked out of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described below:

* Edge must be used in Desktop Mode

Option Pros Cons

Ask a neighbor: Use someone else's web browser to access self-service password reset.

  • Inexpensive, no client software to deploy.

  • Users may be working alone or at odd hours.
  • No solution for local passwords or mobile users.
  • Wastes time for two users, rather than one.
  • May violate a security policy in some organizations.

Hitachi ID Login Assistant: Extends the login screen of Windows systems

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • Works on Windows Terminal Server and Citrix Presentation Manager.

  • Deployment of client software to every PC.

Secure kiosk account (SKA): Sign into any PC with a generic ID such as "help" and no password. This launches a kiosk-mode web browser directed to the password reset web page.

  • Simple, inexpensive deployment, with no client software component.
  • Users can reset both local and network passwords.

  • Introduces a "generic" account on the network, which may violate policy, no matter how well it is locked down.
  • One user can trigger an intruder lockout on the "help" account, denying service to other users who require a password reset.
  • Does not help mobile users.

Hitachi ID Mobile Access: Deploy a mobile app, combined with a proxy server in the cloud, to allow users to access the password reset system from their smart phone.

  • Secure and convenient.

  • Does not help with passwords cached on the user's PC, which are not affected when the user's domain password is changed without connection to the PC.

Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identifier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password.

  • Simple deployment of centralized infrastructure.
  • No client software impact.
  • May leverage an existing interactive voice response (IVR) system.
  • Helpful for remote users who need assistance connecting to the corporate VPN.

  • New physical infrastructure is usually required.
  • Users generally don't like to "talk to a machine" so adoption rates are lower than with a web portal.
  • Does not help mobile users who forgot their cached domain password.
  • Does not help unlock PINs on smart cards.

Previous PDF

Comment via LinkedIn