Self Service Anywhere™
- A user forgot his primary Windows login password.
- The user is away from the office and the corporate AD password is cached locally.
- The video shows how the user can reset the forgotten password -- from the PC login screen, over WiFi+VPN and get back to work.
- Users are increasingly mobile.
- Mobile users sign into their corporate laptops with cached domain credentials.
- If a user forgets his Windows password while away from the corporate network, the IT help desk cannot help him, as they cannot access the cached password.
- Using Self-Service, Anywhere, Hitachi ID Password Manager allows mobile users to reset forgotten passwords even while away, enabling them to get back to work before they return to the office.
- Without this technology, a remote user who forgot his password cannot use his PC until he returns -- a major business interruption.
Self Service Password Reset
- A user forgot his primary Windows login password.
- The user is on the corporate network.
- The video shows how the user can reset the forgotten password -- from the PC login screen and get back to work.
- Users most commonly forget their password at login time.
- If a user forgets his/her Windows password they must be able to access a web page before login.
- Using Self-Service, Anywhere, Password Manager allows users to reset forgotten passwords, enabling them to get back to work.
- Without this technology, a user who forgot his password cannot use his PC until the password is reset by the helpdesk.
Checking that a password is not known-compromised
- User experience of selecting a new password.
- Passwords that are known to have been compromised, and which have been aggregated at https://haveibeenpwned.com/, are rejected.
- Easily prevent users from selecting known-bad passwords.
- Note that in the video user input of password text is displayed -- that is never done in real deployments, it is only done in this video to show what is going on.
Configuring password-quality integration with haveibeenpwnd.com
- Use the component management UI to install integration with https://haveibeenpwned.com/.
- Configure the web proxy that the Password Manager server must use to access this site.
- Integration with https://haveibeenpwned.com/ is very simple.
- In minutes, Password Manager can be configured to reject passwords that are known to have been compromised.
Unlock pre-boot password
- A user forgot his pre-boot passwords for the McAfee ePO Drive Encryption.
- The user can unlock his PC using Password Manager.
- Access to Password Manager is via the Hitachi ID Mobile Access app on the user's smart phone.
- Unlocking encrypted filesystems.
- Strong authentication prior to unlock.
- Access to self-service using a smart phone, as the PC is locked.
Enrollment of security questions
- A user has been invited to fill in a form with security questions and answers.
- This animation starts after:
- The user has clicked a link in an e-mail, or
- a browser window was automatically launched at PC login.
- The user has already authenticated to Password Manager with a password, token or smart card.
- Policy is used to combine user-chosen and standardized questions.
- Some questions may be accessible to the help desk.
- Some questions may be suitable for telephone authentication.
- Usually only a random subset of enrolled questions is used to authenticate a user.
- A user signs into Password Manager and launches login sessions to other applications.
- Single sign-on to SaaS applications and other apps that support SAML.
- Applications need not maintain their own login pages or passwords.
- Password Manager includes a 2FA mobile app so can add strong authentication to integrated applications.
- Users can sign in once (into Password Manager) and launch multiple login sessions (into integrated applications).
- A SAML 2.0 IdP and an application launchpad (for SSO) are included in the base Password Manager product -- no extra fees.
RSA SecurID Self-Service Token Support
- A user has forgotten the PIN for his RSA SecurID token.
- Using self-service, he can choose a new PIN.
- Token PIN reset is more commonly accessed via telephone, since tokens are often used to establish a VPN connection.
- Other self-service options include issuing emergency access codes and disabling the token (e.g., if it was lost).
Reminder to change passwords
- A user is reminded, via e-mail, to change passwords.
- Users never volunteer to change passwords.
- Mobile users are not reminded to change passwords by Windows, so an e-mail helps them avoid lockouts.
- An interactive web UI can educate users about password policy and in-scope systems, so is often preferable to the Windows “Ctrl-Alt-Del” UI.
Assisted password reset
- The experience of a help desk analyst resetting passwords for a user who has forgotten his password or triggered a lockout.
- Help desk staff may be forced to authenticate callers, for example by prompting them with security questions and keying in their answers.
- Help desk staff may be empowered or required to cause new passwords to be immediately expired.
- “Behind the scenes,” a help desk ticket is normally created to record the service incident.