Wouldn't it be magical if a user forgot their Active Directory password, reset it themselves and had that new password synchronized to all of their other accounts? You know, without calling the help desk?
Think of the productivity gains if that JIRA account they go into every 3 months had the same password as Active Directory as Google Apps as Salesforce as that custom built app that nobody knows who supports?
Currently, we know that over a third of all help desk calls are password related and to properly maintain security, password policies should actually be more stringent. This would cause that number to go up. It's not the users' faults, it is human nature to forget even the most important things. Otherwise grocery lists wouldn't exist and there wouldn't be jokes about husbands forgetting anniversaries.
Since we can't blame the user, let's help them.
Self service password reset is a very basic idea. If your user doesn't know their password you have to authenticate them with at least one of three things:
- something they know
- something they have
- something they are
The first is knowledge-based, usually a set of answers to pre-set questions. Making this customizable by role is important; your factory floor worker may not need the stringent set of questions that your CFO needs. It is sort of like making the punishment fit the crime, the more access that the user has, the more important it is to determine their identity.
The second factor is usually a phone or smart card. This one isn't as common as it should be. As in the first factor, you can customize this by role, take advantage of the fact that your executive users all have smartphones, send an OATH token to confirm that they have what they say they have. It adds a LOT of security and only a small additional commitment from the user.
The third factor is usually biometrics. This step is often taken for extremely highly sensitive accounts. If you have the need to roll this out, your users know what they are dealing with.
EmpowerID Password Manager can handle all of these factors and the customization needed to make it work. Its powerful workflow engine makes it easy to branch out different password reset paths based on role or group membership or any other determining factor.
And EmpowerID also synchronizes this new password with all of the other systems connected to its metadirectory. Reset you Active Directory password and simultaneously reset your Lotus Notes password. Give your users one password at a time to forget.
Importantly, users are going to reset their password the old fashioned way with CTRL-ALT-DELETE. EmpowerID has a DC filter that will catch these password changes and run them through the same password synchronization workflow described above, keeping your users with just that single password.
By having tools to help your users, you can put password policies in place that help security, making them change every 30-45 days, knowing that you won't get as many complaints since it's a single password still. Something that even your most vocal users should get behind.
EmpowerID makes all of this possible in a very powerful yet easy to manage application. It has at its core a full Identity & Access Management platform broken out by modules for functionality. Having the metadirectory, RBAC engine and workflow studio built into the base platform and available for every module gives the flexibility to have these advanced password functions without having to buy the entire IAM suite. See it for yourself, schedule a demonstration by clicking the button below!
Tags: Password management