B2C Single Sign On & Identity Management That Wins Over Consumers

Posted by Bradford Mandell on Mon, Oct 20, 2014

                              describe the image

Organizations that manage successful brands know what their customers want from a website experience and are able to provide it.

Consumers want simpler processes.  

They want a quick, seamless authentication experience. 

They want to get to a site from any device that is handy at the time, whether it’s a pc, a tablet or a smartphone.

They have lots of choices and they are bombarded with lots of information. Your branding must be visible and the flow of your customer through your site must be smooth so they will have a positive experience, remember you and want to return.

And your security for their identity needs to protect them and you without being obtrusive.

Your prize, if you capture consumers with a well-designed web presence, is a solid foundation for  business growth, faster fulfilment of your clients’ needs, and substantially greater efficiencies that can  reduce costs and drive profitability.

And of course you are supposed to accommodate all that and keep to a modest IT budget… phew!  

Here’s what it’s going to take:

  • A highly scalable Single Sign On (SSO) and Identity and Access Management (IAM) platform – one that can take you where your ambition wants to go.  Your IAM infrastructure may need to manage millions of users and tens of thousands of logins an hour.
  • Flexible branding – the login process can’t be generic, it and related Single Sign On (SSO) pages need to be customizable to your themes.
  • Support for social media logins is a must if you want to simplify the user experience and entice the widest number of users possible.
  • Self-service password reset and challenge questions that allows consumers to quickly get back in to your site if they forget their username or their password.
  • 2nd factor authentication capabilities and even identity validation will be needed if you need to provide an extra level of protection for your data or resources.  You may want the ability to step up authorization when a user needs to access more sensitive information.
  • A flexible API is another core need – on that can be embedded into your existing applications to connect to common authentication, provisioning and authorization processes.
  • You will want a licensing model that scales from a modest user base to one that is still affordable if you exceed your best expectations.
  • And while many SSO platforms claim that you can easily entrust provisioning to another platform that they can connect to, that’s going to cost you more money to develop, to implement and to support. So you will want a platform that is capable of integrating all of your essential identity management tasks from the start.
  • There is a lot of other technical stuff that you are going to want, like compatibility with all the major standards (SAML, WS-Fed, OAuth), password vaulting and reverse proxy for those legacy apps that can’t make a standard federated connection, but that still need to talk to your federated environment (because throwing out everything you own to pave way for new standards isn’t always practical).

There is a solution that provides all of the above: EmpowerID. 

EmpowerID is an integrated and modular platform, built on a single codebase and driven by workflow with prebuilt one-to-many SSO and Identity Management scenarios with the needs of consumers in mind. 

EmpowerID’s visual workflow designer and adaptive HTML5 interfaces offer a vastly improved and simplified approach to traditional SSO and IAM challenges.  It can be stood up in just a few days or weeks depending on the customization desired, instead of the months that other applications take. 

Most importantly, EmpowerID supports a satisfying access experience for consumers and drives strong ROI with its secure, seamless and flexible identity processes.  

                                                   Request a Demo

Tags: WS-Fed, authentication, Identity Management, Federation, consumers, SAML, Single Sign-on, Password management, SSO, social media

Innovation and Productivity Gains From Identity and Access Management

Posted by Bradford Mandell on Tue, Jul 15, 2014

IAM Innovation


Security for identities.  Managing user access to applications.  Auditing user access.

“Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM. 


Learn More about IAM Cost Savings with EmpowerID

Tags: Single Sign-on (SSO), Active Directory, GRC, Group Management, Governance and Regulatory Compliance, Identity Management, User provisioning, Data Governance, Attestation, Separation of Duties, Password management, Identity and Access Management (IAM), Access Governance

Top 5 uses for OATH tokens in Two Factor Authentication

Posted by Edward Killeen on Tue, Oct 22, 2013

An OATH token is a secure one time password that can be used for two factor authentication.  The first factor is something you know (a password, mother's maiden name, the whereabouts of Jimmy Hoffa) while the second factor is something you have (a smartphone, email address, etc.).  The OATH token is sent to something you have as a one time password to increase security in authentication.

OATH token two factor authenticationThe OATH encryption algorithm is an open source standard and, as such, is widely available.  EmpowerID ships with an OATH server to encrypt the OATH token while clients such as Google Authenticator are free and widely available for smart phones and tablets.

When the OATH server is combined with a sophisticated Identity & Access Management platform like EmpowerID, it opens up a wide range of uses for multi factor authentication.  You don't have to broadly apply the increased level of authentication across all use cases; rather, you can choose the resources or users/roles that require enhanced security and apply two factor authentication strategically.

Since EmpowerID ships with multi-factor authentication as part of the base platform, we see a lot of use cases on how organizations apply OATH tokens.

Self service password reset - When users are locked out or forget their passwords, you need an additional means of verifying their identity.  The traditional method is a series of knowledge based questions (mother's maiden name, eye color, etc).  However, since most of this information can be gleaned from social media profiles, an OATH token as a second factor is almost mandatory to determine the user's identity.

Step up authentication - Once your users are already authenticated, you may want to increase the level of security based on what they are accessing.  An example of this is when your user is attempting to access the financial reports for the 10K report.  They have already entered their username and password, but you want to have that second factor for both security and auditing reasons when they access a resource with a higher security level.

Single sign on to cloud applications - This use case is similar to the previous step up authentication, but is more broadly applied.  If you are offering single sign on (SSO) to internal applications, you might want to step up the authentication before leaving the network to access cloud applications.  This extra level of authentication coupled with Federation or Web Access Management keeps your SaaS applications doubly secure and your CISO happy with precautions you are taking with the cloud.

Admin or executive accounts -I have always found it interesting that the users with the highest privileges tend to get away with the lowest security  --  admins because they control security and CxOs because they sign the admins' checks.  These are exactly the users who should have multi factor authentication and OATH tokens are a fairly innocuous way to deliver that security.  Plus, it gives them a chance to look at their phones in meetings!

After x number of incorrect authentication attempts - This use case requires a fairly powerful workflow based IAM platform like EmpowerID that can re-route the authentication requirements based on calculations or an algorithm.  This can be applied to any of the use cases above but is especially useful to prevent hacking attempts.

OATH tokens as second factor authentication are incredibly useful but it's more than just spinning up an OATH server.  It needs to be integrated in with your IAM platform to be able to strategically and surgically apply its extra level of security and protection.  If you roll it out en masse, you will have a user revolt.  If you apply it in a way that makes sense to the users without an undue burden on them, you win and security wins.

EmpowerID's extensive and customizable visual Identity Management workflows have multiple second factor authentication shapes out of the box, allowing you to simply select a template, configure it for the use case you need and get the most out of OATH and two factor authentication.

Schedule a demo of OATH in Action!

Tags: Password management, Identity and Access Management (IAM)

AD Password Management & Synchronization

Posted by Edward Killeen on Fri, Sep 27, 2013

password synchronizationActive Directory password management is a three part problem: self service password reset;  password synchronization to other applications; and to eliminate passwords entirely!!!!

The first two are part of password management, but the third is the trend for forward looking IT organizations.  Let's talk about self service password reset and synchronization first and then talk about how to eliminate passwords completely.

Most users start the day with their Active Directory password.  And most users will eventually forget that password or get locked out.  To delegate the reset and unlocking, you need to have a way to verify (authenticate) who that user is before letting them change the password.  There are a few ways to do this:

  • the traditional knowledge based question and answer
  • second factor authentication -- not something they know but something they have like a mobile phone or software token
  • help desk questions

The key to making self service password reset work is to force users to enroll.  EmpowerID builds an enrollment check into each authentication workflow; if the user is not enrolled, they will be re-directed to an enrollment form, keeping your password management system from becoming shelfware.

Second factor authentication likewise should have choices, either using EmpowerID's built in OATH tokens, sending a PIN to an SMS gateway, or accepting a hardware token.  Adding this on top of the knowledge based questions helps ensure that your user is who they say they are.

Users will still forget their own knowledge based answers or have a phone battery die so you need a help desk backup.  EmpowerID does not let the help desk see the knowledge based questions and answers so we provide a set that is visible to the help desk to aid in verifying the user's identity.  Once verified, the help desk can easily reset or unlock the account.

For most password management solutions, this is as far as it extends: Active Directory.  Since EmpowerID is a full IAM platform with connectors into almost any cloud or on-premise application, passwords can be synchronized to those applications.  For example, if a user has an AD account, a Google apps account, and three line of business accounts, EmpowerID can synchronize that password from AD upon reset and ensure that the user has a single cohesive password meeting all of the password complexity rules.  This is extremely valuable for your end users.

But why stop there.  Single sign on can eliminate the need to even have all of those passwords.  If your applications can be federated with SAML or OAuth or any other federation standard, EmpowerID can authenticate your user with their AD credentials, then pass a token to the application to authenticate them there without your user ever using or needing to know that other password.  If the applicaiton isn't federated, EmpowerID also offers Web Access Management (WAM), secure password vaulting, and a built-in virtual directory for authentication.

Eliminating the need for all of these passwords is definitely preferable and adds security.  With EmpowerID you can also have role based or resource based step up authentication, requiring a second factor for more secure assets.  Users don't know their passwords so deprovisioning is more thorough with fewer moving parts.

EmpowerID is a single code base, purpose built Identity & Access Management platform that performs all of these functions seamlessly and interoperably.  Don't fall into a trap of buying a password management software that doesn't do everything you need it to.  Take a look at EmpowerID and see how you can solve all of the password challenges.

Click me

Tags: Password management

Self service password management: all the passwords

Posted by Edward Killeen on Thu, Mar 21, 2013

You have heard the statistics that over 30% of all help desk calls are password related and that each help desk call costs, on average, around $35.  It is true that the quickest and best way to increase the efficiency of your IT department is to offer self service password management.  Give your users the ability to unlock and reset their own passwords.

self service password managementJust don't stop at Active Directory.  There are more passwords out there, a lot more.  A study of just web passwords show that users have on average 6.5 passwords to remember for 25 accounts.  Never mind that to get a half password, you have to have a very lax password policy (4 characters, 1 of which must be a fraction!).

So if you can save your company a quadrillion dollars solving your AD password management issues, doesn't it stand to reason that you want to solve ALL the password management issues.  Your users forget them all, might as well have them reset and unlock them all.

Password synchronization goes hand in hand with self service password reset.  The first benefit is that your user's range of passwords is simplified, that number of 6.5 goes down dramatically to as low as 1.  There are times when password complexity rules are mutually exclusive and you will just have to have that accounted for in the password synchronization rules.

The one password most users remember is their AD password because they use it so often.  Make that your catalyst for all password changes.  If that password is changed, have EmpowerID synchronize that password to all of the other applications.  Even if the password is changed natively through CTRL-ALT-DEL, EmpowerID can capture that change and synchronize it to the other apps.

If the user does forget the AD password, offer a variety of ways for the end user to reset the password.  Utilize the tried and true Q&A knowledge based questions, enhance the security a bit by throwing in OATH tokens, and be sure to have a helpdesk only question where the helpdesk can see both the question and answer.

Be sure to lock down the ability for end users to natively change passwords in the applications that you are synchronizing.  EmpowerID will update the application password next time your user changes it but they will be out of synch until then.

If you focus on a solution for only the AD passwords, you are going to drop that 30% down but not all the way to 0%.  To get to 0%, you have to offer self service password reset and password synchronization to stop "ALL THE HELP DESK CALLS!"

Click me

Tags: Password management

The link between password synchronization and password reset

Posted by Edward Killeen on Tue, Mar 12, 2013

Wouldn't it be magical if a user forgot their Active Directory password, reset it themselves and had that new password synchronized to all of their other accounts?  You know, without calling the help desk?

Think of the productivity gains if that JIRA account they go into every 3 months had the same password as Active Directory as Google Apps as Salesforce as that custom built app that nobody knows who supports?

password synchronization and reset

Currently, we know that over a third of all help desk calls are password related and to properly maintain security, password policies should actually be more stringent.  This would cause that number to go up.  It's not the users' faults, it is human nature to forget even the most important things.  Otherwise grocery lists wouldn't exist and there wouldn't be jokes about husbands forgetting anniversaries.

Since we can't blame the user, let's help them.

Self service password reset is a very basic idea.  If your user doesn't know their password you have to authenticate them with at least one of three things:

  • something they know
  • something they have
  • something they are

The first is knowledge-based, usually a set of answers to pre-set questions.  Making this customizable by role is important; your factory floor worker may not need the stringent set of questions that your CFO needs.  It is sort of like making the punishment fit the crime, the more access that the user has, the more important it is to determine their identity.

The second factor is usually a phone or smart card.  This one isn't as common as it should be.  As in the first factor, you can customize this by role, take advantage of the fact that your executive users all have smartphones, send an OATH token to confirm that they have what they say they have.  It adds a LOT of security and only a small additional commitment from the user.

The third factor is usually biometrics.  This step is often taken for extremely highly sensitive accounts.  If you have the need to roll this out, your users know what they are dealing with.

EmpowerID Password Manager can handle all of these factors and the customization needed to make it work.  Its powerful workflow engine makes it easy to branch out different password reset paths based on role or group membership or any other determining factor.

And EmpowerID also synchronizes this new password with all of the other systems connected to its metadirectory.  Reset you Active Directory password and simultaneously reset your Lotus Notes password.  Give your users one password at a time to forget.

Importantly, users are going to reset their password the old fashioned way with CTRL-ALT-DELETE.  EmpowerID has a DC filter that will catch these password changes and run them through the same password synchronization workflow described above, keeping your users with just that single password.

By having tools to help your users, you can put password policies in place that help security, making them change every 30-45 days, knowing that you won't get as many complaints since it's a single password still.  Something that even your most vocal users should get behind.

EmpowerID makes all of this possible in a very powerful yet easy to manage application.  It has at its core a full Identity & Access Management platform broken out by modules for functionality.  Having the metadirectory, RBAC engine and workflow studio built into the base platform and available for every module gives the flexibility to have these advanced password functions without having to buy the entire IAM suite.  See it for yourself, schedule a demonstration by clicking the button below!

Click for demo of Password Manager

Tags: Password management

Password synchronization in the enterprise

Posted by Edward Killeen on Fri, Jan 11, 2013

The average user in a medium to large enterprise has 16 applications that they need to access to do their job.  This means 16 username / password combinations.  Doing the math, this translates to a metric boatload of help desk calls to support this many passwords.

There are three things you can do about this:

  1. Provide single sign on (SSO)
  2. Provide self service password reset
  3. Synchronize passwords between the applications

password synchronizationThere are advantages and limitations to each option.  Single sign on is probably the best solution, having your users log in once and then be authenticated into each application.  However, if the application doesn't support federation, you will need to do password vaulting and you still have the problem of a lot of passwords.  Many legacy systems will have this limitation.

Providing self service password reset is also a great option.  It allows you to delegate changing passwords once forgotten and can have built in security like two factor authentication or forced enrollment.  But, you're supporting 16 applications and you might as well fix the problem before the horse leaves the barn.

That brings us to password synchronization.  You will give your user a single password that is the same for each application.  When they change it in one place (for example, Active Directory), it will be synchronized to each application.  Users will still need to enter a password each time, but they only have to remember 1 not 16.

Before I go any further, the same EmpowerID module for password synchronization also provides self service password reset, giving you option 2 & 3 in one fell swoop.  Since EmpowerID is a single code-base platform, EmpowerID SSO Manager also can work in conjunction with Password Manager to provide all three options to work together.

EmpowerID is a hub and spoke model, with a metadirectory sitting squarely in the middle keeping identity data and passwords synchronized.  You will most likely have a source of truth for the password, whether it be the EmpowerID directory or Active Directory.  Once this password is changed, EmpowerID will write out that password to all affected applications using stored procedures or APIs. 

If there are different password complexity requirements, EmpowerID can enforce the most restrictive and ensure that the user has a single password for all applications.  If there are mutually exclusive password policies (no special characters in one but special characters required in another, we should explore single sign on).

The first question is usually, what starts this process?  How can you synchronize a password if it is encrypted in the source of truth directory?  We can't, nobody can.  We need to force the synchronization process to start by changing the password initially.  Once EmpowerID has the password, we can follow the security guidelines of each application to synchronize the new password to these 16 applications.

The simplest way to do this is to force the user to change their password on the next login, whether it is to EmpowerID or to Active Directory.  This setting is easy to turn on and gives the user an easy way to create the new synchronized password.  We can also build the password change action into any authentication workflow or give them the requirement to change the password x days before expiration.

identity management workflowBut we haven't really saved IT a lot of time yet unless it's easy to implement and configure.  That's where EmpowerID's visual workflow comes in.  Every identity action your users take goes through a workflow which can be customized and personalized.  For our password example, this means that for users with more highly privileged access can be forced to change passwords more often or to also need two factor authentication with OATH tokens. 

This workflow maps to your business process and gives you flexibility in how you manage your passwords and users, giving different policies for different roles or applications.  In short, it makes password management flexible.

But once the users have a single password, the metric boatload of time saved by IT can go towards the single sign on (SSO) project you've been looking at. 

Click for demo of Password Manager

Tags: Password management

Best practices in self service password reset; lessons from Skype

Posted by Edward Killeen on Thu, Nov 15, 2012

As reported at ABC News, "early this morning it was found that Skype's password reset tool had been compromised. Discovered by Russian hackers and first reported by the tech site the Next Web, all that was needed to get into a Skype account was a Skype user name and the associated email address. The typical security roadblocks between getting into an account weren't in place; it didn't ask a user to confirm an email address with an email or answer a security question."

best practices self service password resetEven these steps aren't as secure as they could be.  Self service password reset rides that delicate balance between productivity and security.  Users will forget passwords and get locked out, to minimize the disruption to their work day, you need to offer self service with as few roadblocks as possible.  However, the bad guys can take advantage of this lack of roadblocks and reset passwords. 

You need to know that the person resetting the password is who they say they are.

As far as I can tell in Skype's case, it wasn't really that they didn't have the technology in place, it was that they went too far towards the productivity scale in specific use cases.  Or they had a technical issue, I'm not a reporter, I don't know.

But there is something you can learn from this.  Let's start with the idea of tipping the scale all the way to security while still living in the world or self service (as opposed to making someone show up at the help desk and do an iris scan).

What can you do to ensure that user is who they say they are?

  • Knowledge based questions.  This is the concept of "what you know."  The user's eye color, first make of car, favorite pasta, etc.  On its own, this is completely guessable by looking at pictures in the cube or a FaceBook profile.
  • Two factor authentication.  This is the concept of "what you have."  When the user attempts to reset their password, send them a text or have them use an OATH token or take a biometric fingerprint scan.  This piece, in addition to "what you know", is the most important step.
  • Periodic forced re-enrollment.  If you can force enrollment in the self service password reset program periodically, the user will remember their questions, update with their new cell phone number, and confirm their identity.
  • Identity proofing.  There are two ways to do this.  You know a lot about your users (think of all of your identity stores), make them answer something that you know about them that a hacker might not like their date of hire, amount of last commission check, boss's favorite ice cream.  If you don't have that information, you can utilize services such as Equifax' identity proofing where they will answer the amount of their mortgage or some other information.
  • Multiple account management.  Active Directory self service password reset is the key one here but if a system like empowerID can manage passwords in multiple accounts and add password complexity on top of your domain policy, then do it.

If you set these steps as your default policy, you will have gone overboard and tipped the scale too far towards security and have a mob of angry pitchfork wielding users on your hands.  So you have to temper it slightly.

If you are using empowerID for this (and I assume you are because I'm pretty sure nobody else can force enrollment like we can!), you also have roles for your users and security levels for your applications.  You can integrate these factors into your self service password reset program by incorporating any of these features on an as-needed basis.

For example, turn off identity proofing and biometrics unless a user is trying to reset their password for a high security system like the financials database.  If the user's role is sales, resetting their salesforce.com account should involve two factor authentication but should not require it for thei quotation system (assuming they need this right now!).

Mix and match security levels of the system and role of the user to determine how far you need to tip the scale.  If you have multiple factor authentication on the most secure systems, you might be able to dial down the requirements just to reset their Active Directory password.

Many of these features are exclusive to empowerID.  For sure, the integration of password management with other identity and access management features is unique to empowerID.  See how to take advantage of these best practices in self service password reset with a personalized demo today.

Click me

Tags: Password management

Active Directory password reset by role

Posted by Edward Killeen on Tue, Oct 30, 2012

active directory password reset by roleAs George Orwell said, "All animals are equal but some animals are more equal than others."  How does this apply to resetting passwords?  Everyone needs passwords reset, but some need a little extra security around their password resetting.

Let's take the scourge of the help desk, active directory password reset.  Everybody has seen the statistics of how expensive it is to have your help desk take these calls, somehow verify that the user is who they say they are and reset the user's AD password.  On average, $35 per call.

The obvious solution is self service AD password reset.  Give the users an easy link to reset their password when it is either forgotten or they are locked out.  They will answer a pre-configured number of knowledge based questions (eye color, favorite pasta noodle, etc); once answered, the software trusts who they are and lets them reset their password.

The issue with this is that some animals are more equal than others.  Do you really want the CFO's password to be compromised because someone read his facebook profile and figured out his eye color and the astounding amount of fusilli that he eats?

The way to solve this is role based Active Directory password reset.  Based on the user's role in your RBAC system, you will require a higher level of authentication before allowing them to reset their password.  Maybe it's just more questions.  Or it could be two factor authentication via SMS.  Or it could be identity proofing.  Or it could require approval by a help desk employee.  The point is, based on a user's role, you can make this password reset more secure.

I have always found it distressing that the higher level of security needed for a user's role, the more likely they are to be violating some basic security rules.  For example, the CFO has a bit of influence in a company; if he hates changing his password, he can talk people into allowing his account to have a "never change" policy.  Same thing for domain admins.

Role based password management should do just the opposite, it should make these more sensitive roles more secure.  Two factor authentication is not that intrusive, just a quick SMS message that your user plugs into a form during password reset.  Identity proofing is even easier, it again is something the user knows like their monthly mortgage payment.  Security doesn't have to be painful.

And by managing security based on role, you don't have to assign this stricter level of authentication if all that role does is punch in and out of the timeclock application.  You still save that $35 per call but can also protect your network with more dexterity.

And here's the best part.  This isn't limited to Active Directory.  If you are managing all of your passwords through EmpowerID, you can reset all of your passwords together or separately.  You can reset your salesforce.com password separate from AD.  And you can do all of this based on your user's role.

EmpowerID password manager utilizes roles and resets passwords, one of the benefits of having a purpose-built integrated IAM platform.  Schedule a demo and see how you can keep your CFO's account more secure.

Schedule a demo of Role based password reset

Tags: Role Based Access Control (RBAC), Active Directory, Password management

The best password strength is easier than you think

Posted by Edward Killeen on Wed, Aug 08, 2012

best password strengthAs our friends at XKCD have stated, "Through 20 years of effort, we have successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."  Password strength has been reduced to p@$$wOrd123.

As a vendor in the password management space, I guess we should be thankful.  We are able to offer self service password reset, password synchronization, federated single sign-on and make a healthy living because of it.  And users are still going to be using p@$$wOrd123 but at least you can mitigate this security risk with a properly designed identity and access management (IAM) system.

Here are the things you can do from an IAM perspective:

  1. Two factor authentication(2FA): for high security resources and applications, force 2FA.  Make a user have a cell phone or biometrics in addition to the password.
  2. Identity proofing: make the user answer questions that only they would know in addition to the password.
  3. Device registration: check to see if they are on a company-owned device before authenticating; if not, send it for approval.
  4. One time passwords (OTP): when the user attempts to access an application, send an OTP to a secure email address (note: this doesn't work with authenticating into the network as that is where the email is :) ).

All of these are great solutions but the easiest and most effective fix you can do to ensure the best password strength:  password length.  Make your password policy a minimum of 20 characters and stop forcing upper case and special characters and numbers.  Heck, make it 25 characters or 30.

But, how is a user going to remember that if they can't remember p@$$wOrd123?  Easy, it's a sentence.  It doesn't violate the dictionary rules because it's a lot of words strung together and it's probably a quote the user remembers anyway.  Some to think about:

  • franklymydearIdontgiveadamn
  • Iknowitiswetandthesunisnotsunnybutwecanhavelotsofgoodfunthatisfunny
  • itwasthebestoftimesitwastheworstoftimes
  • allinallitisjustanotherbrickinthewall
  • pleasenoteihaveneverusedanyofthese

Password length in and of itself doesn't guarantee security.  The best hacking programs can crack any password (especially one with words in it) very quickly.  But if you have a good lockout policy and, even better, two factor authentication, you can keep security very high and allow users to remember their passwords.

Password resets take up a huge amount of your help desk resources, some estimate one third of all calls are password related.  You cannot compromise security to reduce those calls so you have to do something.  I, of course, recommend self service password reset or federated single sign on with EmpowerID but at a minimum, or even in conjunction with, consider a higher level of password strength.

The best password strength is not always the most complicated....wait, that sentence would make a good password.

Click for demo of Password Manager

Tags: Password management