Password Reset Portal Verification Policies

One of the additional Passwordstate modules that can be implemented is our Password Reset Portal.  This is an annual subscription based module that allows your users to unlock, or reset the password for their Active Directory account.  It’s specifically designed to help empower your staff, allowing them to reset or unlock their account when they need to, not just during your Service Desk hours. 

A typical organization experiences between 30% to 50% of Service Desk calls related to Password Resets!  This represents an unnecessary distraction for your support staff, having to deal with highly repetitive low value activities.  And by manually servicing these requests you’re wasting your already tight budgets on activities that are unnecessary.  So why would you want to do this?

Are Users Really Who They Claim to Be?

One plausible line of thought is security.  Or more importantly, is the user wanting to change their password / reset their account the actual user that owns that account?  That’s a really good line of thought! 

But how many organizations really have a process that verifies the identity of user?  I can tell you from experience, that a high percentage of organizations rely on something like the approaches below (one or more, and progressing top to bottom);

  1. Ask the Service Centre to confirm your identity (when you’re on the phone requesting the reset)
  2. Ask them predefined questions like what’s your Mother’s Maiden Name? What School did you go to? etc.
  3. Ask them for their HR issued employee ID
  4. Call them back on a listed phone number (or even better, one that’s not listed)
  5. Get the user’s line Manager to confirm their request (by phone or email)

Can you see the major problems here?  The first, depending on how far down the list the organization goes, is there is little understanding of the value of Internal Customer ServiceThe second is none of these approaches actually verifies the user is who they say they are!

To be close to 100% sure, that they are who they say they are, you need a 2FA (two-factor authentication) style process.  This could be a manual process, if you’re not concerned about the customer service angle.  Or, it could be an automated process that uses more than their User Name and Password and doesn’t use information that can be easily discovered via social channels.

Verify Who You Are!

Passwordstate’s Password Reset Portal uses the concept of Verification Policies to securely “identify” your users. Verification Policies are used when a user first enrolls to use the portal, and also when resetting their AD password or unlocking their account.  The principle is based on the 2-factor authentication discussed above.  To access the Verification Policies, you’ll need to install the Password Reset Portal, be licensed for use with either a valid subscription key or a trial license and navigate to Administration->Password Reset Portal Administration->Verification Policies.

Click Studios provides 9 different policies, each based on an industry standard 2FA authentication method, and you can apply different policies to different sets of users.  More detail is available here and the summary of the authentications options is show below:

  • Duo Push Authentication
  • Email Temporary Pin Code
  • Google Authenticator
  • One-Time Password (based on the TOTP and HOTP standards)
  • PIN Number (with configurable length)
  • Questions and Answers
  • RADIUS Authentication
  • RSA SecurID Authentication
  • SAML 2 Authentication

Let’s use an Example!

So let’s use an example.  We have a fictitious employee with a User Account of bdick (based on the lead singer of one of the best bands in the world).  This user has previously been enrolled to use the Email Temporary PIN Code Verification Policy.

 A personal email address has been specified for sending the email containing the Temporary PIN Code,

When this user accidentally locks out their AD account or needs to reset their AD Password they simply browse to the URL of your Password Reset Portal.  This URL is configured under Administration->Password Reset Portal Administration->System Settings->miscellaneous.  On browsing to this URL they are presented with Step 1: Identify,

The user needs to enter their Username and then click on NEXT.  The Temporary Pin Code is then emailed through to their nominated email address, 

Note the Temporary Pin Code is 5 characters long and only valid for 3 minutes in this example.  Both of these settings are configurable in the Verification Policy under Email Temporary Pin Code Settings, Pin Code Length and Pin Code Expires in Minute(s). The screen now changes to Step 2: Verify.  Here the user enters the Temporary Pin Code from the email in the Temp Pin Number field and then clicks NEXT.  Note the users is advised that the Pin expires in the amount of time as specified in the email, in this case 3 minutes.

Once they have been verified they are taken to Step 3: Reset Password.  Here they are provided with the ability to set a New Password, Confirm Password and then RESET their AD password,    

Once the password has been reset the user is prompted with a Password Reset Complete screen.

What if users are in multiple Verification Policies?

If you apply Verification Policies based on Security Group membership and users are in multiple Security Groups you may find the intended Verification Policy is not applying correctly.  This is because policies higher in the policy grid are being ignored and a lower Verification Policy in the grid has precedence. 

To diagnose this, click on the Users in Multiple Policies to identify which policies are applying to them.  You then need to reorder the correct Verification Policy to be lower in the grid.  This can be done by dragging that policy lower in the grid using the order handle.

By implementing the Passwordstate Password Reset Portal, you improve your customer service and more importantly introduce a repeatable and fool proof two-factor authentication system that verifies the user is who they say they are.  Improving customer service and the security associated with password resets while reducing costs!  That has to be considered a win-win!   Got feedback? We’d love to hear it via