What happens when your shared secret is changed, and you cannot be informed of this fact before your secret, shadowy affair is set to take place. There was a time when you would be turned away simply for not having the updated information – and there was very little that you could do about it.
With the implementation of Active Directory as a central user repository comes the ability to enable various methods of Self-service Password Reset – enabling the ability to adjust or alter your secret on an as-needed basis.
Even when users need only recall a single, heavily secure password, it is still likely that the password will be forgotten on occasion. In these instances, system lockouts and other difficulties can tie up a helpdesk, keeping production on other important tasks from being accomplished, or worse - introduce various additional security concerns into the environment.
The most commonly used work-around to a system lockout is for an end user to either call the helpdesk or log into a guest account on a different machine. Not only do both of these options impede productivity, but the latter method also disrupts an additional workstation and can potentially introduce a publicly accessible/weak point into the digital environment.
Fortunately, Active Directory integration provides an answer for these concerns and much more by opening up the door to provide an end user with the ability to reset their password without going out of their way. With proper Active Directory integration, many different methods to unlock a user account become available – all without having to call the helpdesk for administrative support.
Linking Active Directory with a dedicated Identity provider enables various methods of One-time Password (OTP) delivery. In the early days of Multi-factor Authentication (MFA), one of the most common methods of delivering an OTP without the use of a Hardware Token had initially been via e-mail. With the advent of the mobile era and BYOD programs, OTP delivery has taken a whole new face.
An IdP can be configured to send an OTP to SMS for free via open standard SMS gateway protocols. By using this method,users can enact a password reset quickly and securely by making use of their cellular network connection
An additional option for Active Directory Password Reset is through using a mobile application. With mobile access, certain IdPs allow for one-touch password reset that updates Active Directory instantaneously over the network
Knowledge-based Authentication (KBA) is a form of authentication that relies on specific knowledge from the user. The most common version of KBA is the static form – use of preconfigured challenge questions for the user to answer in order to prove identity. By synchronizing ActiveDirectory behind a series of unique, customizable challenge questions, password reset can be handled securely from any network-connected device.
Dynamic KBA can also be synchronized with Active Directory. Through Dynamic KBA, challenge questions are generated on the fly from information stored in the user profile. This information can be very specific to the user or very generic, depending on configuration.
Much like the mobile systems for authentication, various other methods of OTP delivery are available to users for password reset validation. As a prime example, PortalGuard offers support for eleven different OTP methods, ranging from Hard Token to completely token-free support.
Offering various methods of securing and validating a user account provides convenience to the user without impacting productivity and usability. Active Directory configuration allows for multiple validation pathways that enable the user to access his or her account without going through the helpdesk.
These multiple pathways can only be accessed by the user in question – and must be preconfigured beforehand. As such, the user receives the convenience of choice while still retaining a secure method of authentication that prevents hackers from getting into the network.
Active Directory natively integrates with Windows operating systems. Through this integration, password reset is enables via a desktop hotkey shortcut – CTRL + ALT + DEL. Simple as it is, however, this default integration only enables for password reset if the user knows the current password.
This method of Password Reset is perfect when paired with password expiration notifications, as it offers a simple method for users to update their password in accordance with company/local password policy requirements.
For instances where a user has forgotten his or her password but has not lost it, or otherwise simply needs to recover the current password, basic Active Directory configuration will only serve as a foundation.
Through the use of an adequate IdP, the end user can validate via different methods – such as OTP or challenge questions – and then either retrieve or reset the Active Directory password straight from the desktop.
For the more information on this functionality on Mac OS X, please see the Macintosh and AD section above
Active Directory can also be integrated with your existing web portal in order to provide an additional method of password reset for situations where Desktop or mobile password reset are inaccessible. In these situations, a web-based active directory password reset will remove the need for a user to contact the helpdesk for access to the portal.
Some IdPs will enable you to brand a Custom web-portal in order to provide web-based password reset without confusing or alienating your existing users. PortalGuard goes one step further by providing basic functionality for a brandable UI to remain consistent with the rest of your existing website.
For organizations with an existing web portal who still wish to enable web-based Active Directory Password Reset, PortalGuard has SideCar. SideCar enables web-based password reset through the use of a dedicated IFRAME. This windows provides access to self-service password reset without leaving the existing web-portal or having to call the help desk.