Password Self-Service: Offsite and Offline

Letting users reset their passwords and unlock accounts by themselves is great. It allows to avoid long interruptions of the working process, reduces load on your IT department and cuts costs and time losses, making your company more efficient. However, usually password self-service is limited just to your corporate network.

Once somebody takes a domain-joined laptop outside your company’s premises, they no longer can reset forgotten passwords. But not with Adaxes. It allows users to use the Adaxes Password Self-Service feature on laptops that are not connected to your company’s domain and it even works with laptops that are offline.

Let’s have a look at a couple real-world scenarios, where it comes in handy.

Offsite Password Self Service

This is Ann. She is a Sales manager in her company. To finish an important presentation over a weekend she takes a domain-joined laptop home. Very typical so far. But then she forgets her password and can’t log in to the computer any more.

Even if she did get to the help desk on the phone, they still couldn’t let her log into the laptop. Without a connection to a domain controller there’s no way the laptop can get the new password from AD. The only password that Windows can use is the one that’s stored in a hashed form on the machine. Which Ann can’t remember.

With Adaxes, however, Ann can reset her password without reconnecting the laptop to a DC. For that she needs to have the Adaxes Password Self-Service Client installed on her computer. It adds a ‘Forgot your password’ link to the Windows logon screen, from which Ann can reset her password by answering security questions and/or entering a code received via SMS or authenticator app, as if she was on-prem.

After the password is reset in AD, Adaxes Password Self-Service Client updates the local credentials cache on Ann’s laptop and allows her to log in with the new password.

Offline Password Self Service

The next time Ann takes a laptop from work on a business trip. She gets to her room in a hotel and realizes that she can’t log in to the computer because she forgot her password. Again. Neither she can connect to the hotel’s Wi-Fi because to do that she needs to log in first.

Here Adaxes comes to the rescue. Again. It allows Ann to reset the password on her offline laptop by using her phone or any other device that has Internet access.

When Ann clicks on the ‘Forgot your password’ link on her Windows logon screen, Adaxes understands that there’s no Internet connection and switches to Offline mode. It gives Ann a request key and a link that she needs to open on her phone. There she needs to undergo a standard Adaxes AD password reset procedure by answering security questions and/or entering a verification code received via SMS or authenticator app like Google Authenticator or Authy.

After that is done, she’ll be given a response key that needs to be entered to the offline laptop alongside the new password. Adaxes then validates the key and updates local credentials cache using the Adaxes Self-Password Reset Client installed on Ann’s computer. Now Ann can log in with her new password.

Security

To provide security during password reset procedures performed away from the corporate network Adaxes uses the asymmetric-key model to provide authentication.

Adaxes Service generates a key pair (2048-bit RSA) and publishes the public key in Active Directory. Self-Service client generates a 1024-bit secret key, encrypts it using the Adaxes public key and publishes the encrypted key in Active Directory. The key can be decrypted back only with the help of the Adaxes private key, which is known exclusively to the Adaxes service.

Self-Service client signs the Request Key with its secret key. The Response Key generated on the server side contains a hash of the new password created during self-password reset. The Response Key is encrypted using the computer's secret key (HMAC SHA-512). Since the secret key is known to the Adaxes service and Self-Service client only, the Response Key can be decrypted back only on the user's computer, and only if it was encrypted by the Adaxes service. To ensure that the new password is the same as the one created during Self Password Reset, hashes of the two passwords are compared.

Adaxes lets you take Password Self-Service a step further and spread it beyond your company’s premises. So, wherever your users take their domain-joined laptops, with Adaxes you can be sure that forgotten passwords won’t be an unsolvable problem any more.

See Also