Overview
Specops Password Reset is designed to allow the end user the ability to reset a lost password without the help of administrative personnel. Solving this problem is all about verifying the identity of a user, so that a user only can reset his or her own password and not somebody elses.
Specops Password Reset uses two different techniques to varify users’ identities, secret questions and mobile verification codes.
Secret questions
To use secret questions for user verification, users must enroll in the Password Reset Service. When enrolling they are asked a number of questions. A question can be for example “What was your mother’s maiden name?” The nature of the questions should such that the user easily will remember the answer to them, whereas other users should not be lilely to know the answer, or easily find it out. What questions and how many questions to be answered are configured by the administrator.
Mobile verification codes
In addition to secret questions user identities can also be verified using mobile phone verification codes. This means that a text message with a verification code is sent to the user’s mobile phone. The user is then required to enter this code into the the web application when attempting to reset their password. If possible, it is recommended to use both secret question and mobile verification codes.
Security note! In general, secret questions is not a strong form of security. If the questions and/or answers are not selected carefully a person may be able to lure the answers from another user with some social engineering skills. However with Specops Password Reset we have tried to minimize this risk.
- It is recommended to use mobile phone validation codes in combination with secret questions
- The list of supplied questions has been carefully reviewed and does not contain the type of questions that are easy to guess.
- A user will need to answer each question before being presented with the next question.
- Users will be locked out from the Reset service after a number of failed answers. This threshold is configured by the administrators.
Unlock locked out accounts
A password reset can be used both to reset a forgotten password as well as unlocking a locked out user account that has been locked as a result of too many failed logon attempts.
Improved Change password interface
In addition to resetting passwords, Specops Password Reset also contains an alternative method to change a password instead of using the normal method from the logon screen.
This alternative user interface is a huge improvement for users, specifically if complex password policies are inforced. The users recieve instant feedback about what password rules are being met as they type their new password.
The list of password rules that is presented to the end user when changing, or resetting their password is based on what specific password rules apply to that user. The password rules can come from any of the following three:
- Built-in domain password policy
- Active Directory Fine-grained password policies
- Specops Password Policy
Helpdesk
In addition to the end user web there is also another web intended for Help Desk personnel. The Help Desk web can display detailed information about the user and allow the Help Desk personnel to reset a user’s password.
User information
When a user calls the help desk the help desk personnel can search the user’s name and instantly get detailed information about the user. This information includes user logon name, full name, mobile phone number, email address, enrollment status etc.
From the user information page the help desk personnel can also send a temporary verification code to the end users mobile phone, to help validate the user’s identity.
Reset user’s password
Help Desk personnel can reset a user’s password. This feature would be used in cases where a user has forgotten his or her password and cannot reset the password themselves. Reasons for this can be that the user has not enrolled, cannot remember the answer to his or her questions or has been locked out from the service.
A password that meets the password requirements for the user can be automatically generated and also sent to the user’s mobile phone.
Security note! When a user calls a help desk and needs help resetting his or her password it is generally a problem to verify the user’s identity. The mobile verification code in Specops Password Reset helps with this issue. In addition to asking the user about login name, full name, mobile number a verification code can also be sent to the user who then will be asked to read the code out to the Help Desk personnel.
Page last modified on May 14, 2008, at 10:16 AM