Users who have forgotten a password or triggered an intruder lockout can sign into Hitachi ID Password Manager using other types of credentials to reset their password or clear the lockout. Non-password authentication options include security questions, voice biometrics, smart cards, hardware tokens and random PINs sent to a user's mobile phone using SMS.
Access to self-service is available from a PC web browser, from the Windows login screen, using a telephone or using the mini web browser on a smart phone.
Users can authenticate to self-service password reset or PIN reset system using any combination of the following mechanisms:
- By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
- By answering security questions.
- By offering up a biometric sample, which is validated by a trusted service or API.
- Using the Hitachi ID Mobile Access smart phone app to scan a cryptographic challenge displayed on the user's PC screen as a QR code.
- Using third party smart phone apps, such as Duo Security or Google Authenticator.
- Using a hardware or software security token (e.g., RSA SecurID).
- Using a smart card with a PKI certificate.
- Using Windows-integrated authentication.
- Using a Security Assertions Markup Language (SAML) or OAuth assertion issued by another server.
- By typing a PIN that was sent to their mobile phone via SMS.
- Using a device/browser fingerprint and/or cookie, for example to compare current login to previous events.
Watch a Movie
Self Service Anywhere™
- A user forgot his primary Windows login password.
- The user is away from the office and the corporate AD password is cached locally.
- The video shows how the user can reset the forgotten password -- from the PC login screen, over WiFi+VPN and get back to work.
- Users are increasingly mobile.
- Mobile users sign into their corporate laptops with cached domain credentials.
- If a user forgets his Windows password while away from the corporate network, the IT help desk cannot help him, as they cannot access the cached password.
- Using Self-Service, Anywhere, Password Manager allows mobile users to reset forgotten passwords even while away, enabling them to get back to work before they return to the office.
- Without this technology, a remote user who forgot his password cannot use his PC until he returns -- a major business interruption.
Locked out Windows user resets own password (no software footprint)
- A user has either forgotten his password or triggered an intruder lockout.
- The user's PC runs any version of Windows.
- The user wishes to unlock his account without calling the help desk.
- Access to SSPR is available using a secure kiosk account.
- This approach eliminates the need to install any software on the PC.
- The trade-off is a special domain account, typically called help which every user can sign into but which has minimal security entitlements.
Self-service password reset is available from a full screen or mobile phone web browser, from the PC login prompt and from a telephone, as described here.