Centralized Self-service Password Reset: From the Web and Windows Desktop

Centralized Self-service Password Reset:
From the Web and Windows Desktop
Self-service Password Reset Layer
v.3.2-007
PistolStar, Inc. dba PortalGuard
PO Box 1226
Amherst, NH 03031 USA
Phone: 603.547.1200
Fax: 617.674.2727
E-mail: [email protected]
Website: www.portalguard.com
© 2012, PistolStar, Inc. dba PortalGuard All Rights Reserved.
Tech Brief — Centralized Self-service Password Reset
PortalGuard Centralized Self-service Password Reset:
From the Web and Windows Desktop
Table of Contents
Summary ................................................................................................. 2
The Basics............................................................................................... 2
PortalGuard Centralized Self-service Password Reset ............................ 2
Features .................................................................................................. 3
Benefits ................................................................................................... 4
How it Works ........................................................................................... 4
Enrollment .................................................................................... 4
Self-service Password Reset ....................................................... 7
Configuration ........................................................................................... 9
Deployment ........................................................................................... 10
IIS Install................................................................................................ 11
System Requirements ........................................................................... 11
Supporting Videos ................................................................................. 12
Platform Layers ..................................................................................... 12
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 1
Tech Brief — Centralized Self-service Password Reset
Summary
For companies of all sizes, the task of supporting users can prove to be taxing on the IT
staff, especially the Help Desk and Administrators. Most studies show the cost of password resets can range from $25 to $75 per incident and make up around 30 percent or
more of Help Desk calls. This provides ample reason and demand for password reset and
recovery tools which empower the user. By allowing users to self-service their own account and password management needs, organizations can effectively offer 24/7 access
and maintain productivity.
Shopping for a tool such as this can be challenging, so the first step is to understand your
requirements by documenting your user access scenarios. For example, how will roaming
users change their password remotely or how will a forgotten password be recovered on a
laptop with an encrypted hard drive. Along with these requirements determining your
budget and current Help Desk costs without a solution in place will allow you to forecast
your ROI and further narrow down the vendor selection.
Another point to consider is the evolution of self-service password reset and whether the
vendors you are evaluating are keeping pace. Many tools you’ll find are not compliant with
most companies’ current security standards. The problem of forgotten passwords has
been around since passwords were first used, but expanding access scenarios and advanced attacks are requiring more advanced solutions. For example, entry point solutions
are now expected to go beyond simple password resets to accept multiple scenarios
which may include disconnected users, auditing and leveraging devices such as mobile
phones.
Of course, true success of a self-service password management solution will be measured
by the users’ satisfaction and an overall reduction in the frequency of their calls to the Help
Desk for support.
The Basics
Self-service password reset is the process a user initiates to prove their identity with the
end goal of resetting their password. Self-service password recovery is similar, but the end
goal is obtaining the current password value without changing it. The user can be authenticated using various methods.
Most tools use challenge question and answer as an acceptable means of authenticating
the user. However, associated security threats including easily guessed answers or information readily available on their Facebook page raise valid concerns. A secure solution
puts additional precautions in place. For example, not allowing the same answer for each
question, requiring a minimum answer length, and requiring a larger subset of questions
(e.g. 3 out of 6) to be answered.
For increased security, two-factor authentication can be added to the password reset and/
or recovery to ensure only an authorized user is setting the password.
PortalGuard Centralized Self-service Password Reset
PortalGuard’s self-service password reset is flexible and offers a complete solution which
has evolved with industry demands. By providing the exact same interface for both Windows Desktop and Web-based self-service, the user’s learning curve is minimized and
overall user adoption is increased.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 2
Tech Brief — Centralized Self-service Password Reset
The available self-service actions that PortalGuard offers are password reset, password
recovery, and account unlock. These actions can also be performed from mobile devices
such as iPads and smartphones. PortalGuard integrates seamlessly with Microsoft Active
Directory, Novell eDirectory, any LDAP-compliant directories and custom SQL user repositories.
PortalGuard also supports users who are offline or disconnected from the network, allowing them to perform a password recovery. In this case, the password is divided into mathematically-represented “shares” with each share being AES-256 encrypted by a separate
challenge answer. All shares are then bulk encrypted with AES-256 using a separate key
and stored locally on the user’s machine. When the user attempts to recover their password, they will be asked to prove their identity by correctly answering a certain number of
challenge questions. Once decrypted, the user is shown the password in clear text allowing them to continue working. For security purposes, if a disconnected user strikes out
while attempting to authenticate, the encrypted recovery information is deleted from the
local machine, so the user will be forced to reconnect to the network to perform the recovery.
To authenticate the user during an online self-service action, PortalGuard leverages challenge questions and answers and/or two-factor authentication via a one-time password
sent to a mobile phone or email address. Challenge answers are cryptographically hashed
and stored on a central server to support roaming users and prevent the need to re-enroll
on multiple machines.
By providing auditing and reporting around user access, an Admin App for the mobile
phone, and user verbal authentication through a Help Desk console, PortalGuard is a
comprehensive self-service password reset solution.
Features
General:









Provides password reset, recovery and account unlock
Disconnected user support - including lock-out threshold for increased security
Forced user enrollment (optional)
Integrates with Active Directory, Novell eDirectory, any LDAP-compliant directories and
custom SQL user repositories
Encrypted hard drive support - perform a password recovery thru PortalGuard on an
alternate or mobile device (e.g. Symantec Endpoint Encryption)
Supports multiple authentication methods - challenge questions and answers and twofactor authentication delivered via SMS or Email
Email notifications of password resets to both the user and/or admin
Lock-out thresholds for incorrect responses to authentication attempts
Includes support for mobile browsers
Challenge Questions & Answers:







Centralized - challenge information stored on server
Configurable number of mandatory/optional questions
Allows import/pre-population of challenge answers
Prevent repeat answers for multiple challenge questions
Prevent answers from containing words from the question text
Answers can be case sensitive
Configurable minimum length for challenge answers
Administrative:
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 3
Tech Brief — Centralized Self-service Password Reset
 Help Desk Console - provide interface for Help Desk staff to easily perform account actions
 Verbal Authentication - allows Help Desk staff to authenticate a user calling in
 Administrator Dashboard - logging and reporting of user access activity
Windows Desktop Support (shown below):
 Supports Windows versions XP, Vista, Windows 7, Microsoft Terminal Services and Remote Desktop Services
 Self-service directly from Ctrl+Alt+Del/Windows Logon screen - removes need to go to
an alternate machine/kiosk or login with a guest account, maintained on each machine
Windows 7 Desktop Support
Windows XP Desktop Support
Benefits
 Increased Usability - users are now empowered to self-service their own needs and
maintain productivity
 Increased Security - provides two-factor authentication
 Centralized Solution - same user interface for both the web and Windows desktop
 No Kiosks - perform all self-service actions directly from the user’s machine
 Reduced Costs - alleviate password-related Help Desk calls and demands on IT staff
 Configurable - to the user, group or application levels
 Seamless Integration - use “sidecar” mode to retrofit existing application login screens
with the PortalGuard functionality, maintaining the current look and feel you have today
How It Works
The following steps show the enrollment and process of resetting a password using PortalGuard’s self-service functionality. The screenshots provided are showing the process being completed from a web browser. A user can also complete the process from the Windows desktop using the same steps and identical interface.
Enrollment
Once self-service password reset is made available, the user will be prompted to enroll
their challenge questions and answers. PortalGuard provides flexibility around this process
by allowing you to configure whether the enrollment will be forced or able to be postponed
“x” number of times by the user. This increases the usability for users, giving them options
around a process some may find obstructive.
NOTE: If other authentication methods are enforced, such as two-factor authentication, then those
enrollment actions will also be displayed, as configured by the admin.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 4
Tech Brief — Centralized Self-service Password Reset
Enrollment Process
NOTE: The screenshots below illustrate the use of PortalGuard’s “sidecar” functionality. It
allows rapid integration of PortalGuard’s self-service features into existing websites or user
processes.
Step 1: The user attempts to login to a company’s existing portal as usual.
Step 2: In this case, the user has not yet enrolled their challenge information so PortalGuard automatically displays the enrollment screen in “sidecar” mode. This dialog shows
that the administrator has configured the PortalGuard policy to allow the option of skipping
enrollment temporarily. Doing so will close the PortalGuard dialog and continue the original login process. The user can enroll now by clicking “Continue”.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 5
Tech Brief — Centralized Self-service Password Reset
Step 3: The user is prompted to provide answers to the challenge questions. The number
of both mandatory and optional questions the user is required to answer is configurable.
PortalGuard also increases security by helping the user perform best practices when supplying answers, such as not repeating answers or avoiding using words which are included
in the question text.
Throughout the enrollment process the user is provided with helpful warning notices, such
as the number of answers remaining, to ease the frustrations some may feel during this
process.
Step 4: The process is complete and the user is now enrolled. Clicking the link shown will
close the PortalGuard dialog and continue the original login process.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 6
Tech Brief — Centralized Self-service Password Reset
Self-service Password Reset Process
Step 1: The user attempts to login to a company’s existing portal but has forgotten their
password. The user then clicks the “Forgot your password?” link.
Step 2: The user selects from “Recovery Actions Available” which self-service action they
would like to perform. The user selects the “Reset Forgotten Password” radio button and
clicks “Continue”.
NOTE: The dialog shows the most common actions, an account unlock and password reset, but password recovery is also available.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 7
Tech Brief — Centralized Self-service Password Reset
Step 3: The user is then prompted to provide their enrolled answers to the enrolled challenge questions. PortalGuard provides users with helpful warning messages throughout
this process. Once the user has supplied the required number of answers they click
“Continue”.
Step 4: The user’s identity has been verified and they are able to set a new password.
Added usability and security features such as the “Show Password” checkbox and virtual
keyboard can be easily enabled or disabled.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 8
Tech Brief — Centralized Self-service Password Reset
Configuration
NOTE: All the following settings are policy specific, so you can have different values for
different users/group/hierarchies.
Configurable through the PortalGuard Configuration Utility:
Main
 Self-service options available to users
 Authentication types available for each self-service action
Authentication Types
 Challenge Questions and Answers
 Enrollment - optional, required, disabled
 Recovery lockout limit
 Answer complexity including minimum length, case sensitivity, prevent
answer repetition and prevent question words as answers
 Number of optional questions
 Number of mandatory questions
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 9
Tech Brief — Centralized Self-service Password Reset
 Mobile Phone
 Enrollment - optional, required, disabled
 Phone number format
 Delivery format
 Email




Enrollment - optional, required, disabled
Domain blacklist
Email display
Email format including From, Subject and Body fields
 Notifications
 Type of self-service including account unlock, password reset and recovery
Deployment
Implementation of the PortalGuard platform is seamless and requires no changes to Active
Directory/LDAP schema. A server-side software installation is required on at least one IIS
server on the network. Additional client-side software is required for performing selfservice from the Windows logon screen.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 10
Tech Brief — Centralized Self-service Password Reset
IIS Installation
A MSI is used to install PortalGuard on IIS 6 or 7.x. If installing PortalGuard on IIS 7.x/
Windows Server 2008, make sure to have installed the following feature roles prior to
launching the MSI:
1. All the Web Server Management Tools role services
2. All the Application Development role services
3. All IIS 6 Management Compatibility role services
The MSI is a wizard-based install which will quickly guide you through the installation.
System Requirements
This version of PortalGuard supports direct access and authentication to cloud/web-based
applications, only.
PortalGuard can be installed directly on the following web servers:




IBM WebSphere/WebSphere Portal v5.1 or higher
Microsoft IIS 6.0 or higher
Microsoft Windows SharePoint Services 3.0 or higher
Microsoft Office SharePoint Server 2007 or later
The PortalGuard Web server also has the following requirements on Windows operating
systems:
 .NET 2.0 framework or later must be installed
 (64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64)
PortalGuard is fully supported for installation on virtual machines. Furthermore, PortalGuard can currently be installed on the following platforms:




Microsoft Windows Server 2000
Microsoft Windows Server 2003 (32 or 64-bit)
Microsoft Windows Server 2008 (32 or 64-bit)
Microsoft Windows Server 2008 R2
NOTE: When run in "Sidecar" mode, PortalGuard can provide its functionality on any web
server that uses a HTML login page.
If you have a platform not listed here, please contact us at [email protected] to see
if we have recently added support for your platform.
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 11
Tech Brief — Centralized Self-service Password Reset
Supporting Videos
Please view the following videos to watch a demo of PortalGuard’s self-service offerings:
Self-service Password Reset, Recovery & Account Unlock (Browser-based)
Self-service Password Reset, Recovery & Account Unlock (Windows 7 Desktop)
Disconnected Password Recovery
Help Desk Console
Platform Layers
Beyond self-service password reset, PortalGuard is a flexible authentication platform with
multiple layers of available functionality to help you achieve your authentication goals:






Contextual Authentication
Tokenless Two-factor Authentication
Real-time Reports / Alerts
Knowledge-based
Password Management
Single Sign-on
###
© 2012, PistolStar, Inc. dba PortalGuard All rights reserved.
Page 12