Overview

Specops uReset™ is the next generation password reset solution by Specops Software. The solution revolutionizes password security by utilizing claims-based identity to provide flexible multi-factor authentication as a means of addressing the password reset security and flexibility needs of organizations. Specops uReset is a self-service solution that enables end users to address the most common tasks related to password management including forgotten passwords, locked out Active Directory accounts, and password resets and changes.

Central Concepts


Password Reset

The process of changing a forgotten password. A password reset can be performed by a user who verified their identity using multi-factor authentication. The user can reset their passwords using the uReset web, which can be accessed from any (non-ancient) web browser, including mobile phone browsers.

Multi-factor authentication

Specops uReset goes beyond two-factor authentication by supporting a broad range of identity services that can be used to increase password reset security and flexibility. The solution not only supports common authenticators, such as questions and answers, and mobile verification codes, but also various digital identity services ranging from personal identity services (e.g. LinkedIn) to company identity services (e.g. salesforce.com), in addition to higher trust methods such as Smart Cards. The helpdesk can also use multifactor authentication when assisting users with account unlock and/or password reset, by requiring them to use their enrolled identity services to verify their identity.

IT administrators can select, based on role and security policy, which identity services/authenticators they want to extend to end-users to verify their identity when resetting or unlocking their accounts. Such flexibility can ensure that varying security and flexibility needs are met. For example:

  • For users that have a low-level security clearance, but a high flexibility need, such as students, IT admins can allow them to authenticate with a few personal identity services such as their Google and Facebook ID.
  • For users that have a higher level security clearance, such as financial aid administrators or senior level executives, IT admins can assign policies that enforce a higher number, or a stronger combination of identity services. This approach provides administrators with the flexibility they need to enforce policies that translate to greater security and efficiency.

Identity Services

To use various identity services to authenticate users, the identity service must be configured (enabled) in the administration console, and the user affected by the uReset policy must enroll in the uReset service. Once a user has enrolled, they can reset their password using the uReset Web Application (via a hyperlink on the login screen or on any modern browser) or the uReset Mobile App (iOS, Android or Windows Phone). The Specops uReset Server uses data from user objects in Active Directory to read and write information used in the system.

The following identity services can be used to authenticate users in Specops uReset:

Standard Identity Services

  • Question and Answer (Security Questions)
  • Username & Password
  • Windows Integrated Authentication

Social, SaaS, Email Identity Services

  • AOL
  • Facebook
  • Flickr
  • GitHub
  • Google
  • Instagram
  • LinkedIn
  • Microsoft
  • Tumblr
  • Twitter
  • Yahoo
  • Salesforce

Higher Trust Identity Services

  • Manager Identification
  • Specops Authenticator
  • Google Authenticator
  • Microsoft Authenticator
  • Specops Fingerprint Authenticator
  • Mobile Verification Code (SMS)
  • Mobile Verification Code ( Email)
  • Duo Security
  • Symantec VIP
  • Mobile BankID (Sweden)
  • SITHS Smart Cards (Sweden)

Enroll

Users are required to enroll with the uReset service. The enrollment process will vary for each type of identity service. To enroll with a personal identity service such as Google, the user will need to follow the link from the Specops uReset web application to the Google web page, and login with the email address and password associated with your Google account. When a user affected by a uReset policy utilizing Google enrolls in the service, a unique identifier is stored on the user object in Active Directory.

Policy

A policy contains the rules required for enrollment and multi-factor authentication. A policy controls what identity services can be used, and how many must be used to verify the identity of a user. The system owner is responsible for configuring the rules in the policies.

Architecture and Design


Specops uReset consists of the following components and does not require any additional resources in your environment. The uReset Server, uReset Web, and Security Token Services are hosted in the cloud. You will only need to install the Administration Tools, Gatekeeper, and Authentication Client.

Alt text for this image

uReset Cloud: The global cloud component of Specops uReset, the uReset Cloud contains the web front end for end users and the backend services. The backend services communicate with external identity services like Amazon, Google and Symantec. Mobile Verification Code, Questions and Answers, and Mobile Bank ID are also hosted here. To read user information and perform password resets, the uReset Server communicates with the uReset Gatekeeper.

Gatekeeper: The Gatekeeper is the server component and needs to be installed on a server in your domain. The Gatekeeper reads user information from Active Directory and manages all operations against Active Directory such as changing/resetting passwords, unlocking accounts and reading/writing enrollment data. Before you can use the Gatekeeper Service you need to configure the Gatekeeper.

Once you have configured the Gatekeeper service, it will connect to the Specops uReset Server. The Gatekeeper Service uses a self-signed client certificate in its communication with the Specops uReset Server to ensure that it is the same gatekeeper that was registered during setup. When the Gatekeeper connects to the server, the Gatekeeper validates the certificate that the server is presenting. The gatekeeper is the only component able to use the certificate’s private key to sign and identify the uReset Server.

uReset Administration Tool: Configures the Gatekeeper and enables the creation of Specops uReset settings in Group Policy Objects. If you are not using the Specops uReset Cloud Service, the administration tool will also contain installation information for all uReset components and help you configure the database connection.

Authentication Client (formerly known as uReset Client): Presents a link to the Specops uReset Web application on the Windows logon screen, and presents end-user notifications about enrollment requirements.

External Identity Services: Some of the identity services that are used during authentication, such as Facebook, or Google, are external. When an external identity service is used, the user will be taken to the login page for the corresponding identity service. When the user performs a login, standard OpenId and Oauth2 protocols are used. If the login is accepted, a token will be returned to the uReset Cloud.

Standards


Specops uReset uses industry standard protocols. NET 4.5 and upwards provides the functionality for WS-Trust and WS-Federation. OASIS is among the specifications for WS-*. WS-* is a collection of specifications that, for example, describe how to implement secure Web services and communication over the Internet. WS-Trust introduces the concept of STS and outlines the messages that are used for requesting, issuing, and renewing security token, whereas WS-Federation specifies the language to use for expressing how to address the security needs of the scenarios.

The solution is delivered as a hosted cloud service. It is a multi-tenant solution running on the highly reliable and secure Microsoft Azure cloud. For more information about Microsoft Azure, visit:

https://azure.microsoft.com/en-us/support/legal/sla/

https://azure.microsoft.com/en-us/support/trust-center/security/design-and-operational-security/

https://azure.microsoft.com/en-us/support/trust-center/security/

https://azure.microsoft.com/en-us/support/trust-center/compliance/

Features and Capabilities


Console support features

Reporting

The Specops uReset Reporting feature allows you to track your enrollment process and provides several reports on enrollments, events, and identity service utilization.

Customizations

The Specops uReset web application contains several customization features which give you control over the Specops uReset end user interface. You can customize the graphical elements of the Specops uReset web application including main header text, main logo, favicon, and main style (allowing you to set your own styles by using a custom bootstrap CSS). You can also customize the text displayed to the end user, for all supported languages.

Helpdesk

The Helpdesk feature can be used to verify the accounts of users, using any of their enrolled identity services, or by sending a text message, containing a code, to the user’s mobile phone. Once a user has been verified, the helpdesk can set a new password, and require the user to change their password at next logon. The Helpdesk also displays user statistics, and information, including the star requirements for enrollment / reset, and the weight assigned to each identity service in the policy.

Event Notifications

Specops uReset contains several notification options to remind users to enroll and encourage self-service. The notification method is controlled through GPO settings. Specops uReset supports email and SMS notifications when certain system events occur, such as a user enrolling with the system. Specops uReset has the ability to generate and send emails to end users to confirm that the operation was successful.

Weighted Identity Services

Specops uReset allows the administrator to assign a specific weight for each identity service, ultimately deciding that one identity service is worth twice as much as another during authentication. In the user interfaces, for both the end users and administrator, the weights are represented by stars.

Multifactor Authentication for Administrators and Helpdesk users

Users that are a part of the Administrators and Helpdesk group can use multifactor authentication to verify their identity when accessing the Administrator / Helpdesk pages on the uReset web.

Mobile Applications

Specops Authenticator

The Specops Authenticator app is a high trust identity service, which turns the mobile device into a secure token device. The app generates a secret code that users must provide in addition to their username when authenticating their identity during a password reset. The codes generated are based on industry standard Time-Based One-Time Password Algorithm security tokens as such Specops Authenticator can work with both Google and Microsoft Authenticators.

Specops Password Reset

Specops uReset contains a mobile application, available in Windows Store, Google Play, and App Store, that can be used as a secure alternative to reset passwords and unlock accounts. The mobile app is available to any organization that permit users to reset their password remotely.

Specops Fingerprint Authenticator

The Specops Fingerprint Authenticator app allows you to authenticate to the Specops uReset password reset service using either the Touch ID fingerprint recognition feature integrated into your iOS, or the Fingerprint API scan feature integrated into your Android 6.0 or newer operating system.