Active Directory Password Self-Service

Adaxes Password Self-Service solves one of the most common problems for any organization: forgotten passwords and locked accounts. Instead of calling the help desk and going through a frustrating password reset procedure on the phone, which can take a lot of time, be unreliable and prone to mistakes and exploits, Adaxes allows users to reset their own passwords by themselves without any intervention from the IT staff whatsoever.

Having Password Self-Service in place allows you to significantly reduce the downtime caused by users being locked out while waiting for their passwords to be reset for them. And, in addition to that, you also cut down the time your IT staff spends on resetting the passwords for users instead of doing something more productive.

How It Works

Once users find themselves with a forgotten password, all they need to do is follow a simple user-friendly procedure. After clicking the Reset Password link provided by Adaxes, they need to verify their identity by:

answering security questions,

entering a security code sent to them by SMS,

using an authenticator app (Google Authenticator, Authy, Okta Verify and others) on their mobile device.

Any combination of the authentication methods can be used to enable multi-factor authentication and require users to provide more than one form of identification. After the identity is verified, users can unlock their account, reset their password, log in and finally start working. As simple as that!

Users can launch the self-password reset procedure either straight from the Windows logon screen on their machines or they can do it via the Web Interface using a browser on any device, like, for example, their phones. Password self-service link can also be integrated into your own portals or applications, so that users can start the procedure from there.

Enrollment

If you enable the Q&A option for identity verification, it means that to use password self-service, users need to provide their answers to security questions during a one-time enrollment procedure. In case of using an authenticator app as an authentication method, users need to install and activate the app on their mobile device. To make sure that all users are on board with it, Adaxes can regularly send them email reminders, show enrollment invitation balloons in the Windows notification area, display a pop-up every time users log in to the Web Interface, etc.

Adaxes also supports auto-enrolling users for password self-service in bulk. It can be useful, if you store some user-specific information that can be used as answers for security questions, such as SSNs, IDs, places of birth, etc. It can also be done automatically on a regular basis, so that all users including new ones are always covered.

How to autoenroll users for self-password reset

Offline and Offsite

Adaxes Self-Password Reset allows users to reset their passwords even when they are not on the corporate network. So, for example, when users take domain-connected laptops home or on a business trip and forget their password, normally they will be locked away from their machines until they come back, even if somebody from the help desk resets their password in AD. But with Adaxes users can simply go through the same password self-service procedure and log in to the laptop with their new password. No VPN or other additional means required.

For more information about how the offsite and offline password self-service works, check out this article.

Security

For password self-service it’s important to find the right balance between maximizing security and maintaining the ease of use for your users. Adaxes allows you to find the sweet spot for absolutely everyone, as it allows applying different policies to different users, so that stricter password reset procedures apply to more security-sensitive accounts. For example, members of the IT staff or executives can be forced to answer more security questions than regular users, have two-factor verification enforced and be allowed less failed attempts.

How to configure password self-service

By default, after a certain number of failed attempts, Adaxes automatically blocks access to password self-service for a specific period of time. This way any brute-force attacks or other suspicious activities are eliminated straight away.

After a password is successfully reset using the self-service procedure, users get an email notification about it. So that, if they didn’t do it, they can contact the IT department and corresponding measures will be immediately taken.

To provide an additional security level to password self-service process, you can add an approval step to it. So, after a user successfully goes through the identity verification, the password will only be reset after an approval is granted for it. The list of approvers can contain members of IT staff, the manager of the user, their colleagues, etc.

How to request approval for self-password reset

Monitoring

Adaxes provides monitoring capabilities, which means that administrators can always keep an eye on things like how the enrollment progress is going, successful and failed self-password reset attempts, etc. With such approach any problems that may come up can be easily identified and dealt with. For example, if a certain policy results in many failed password reset attempts, administrators might need to make that policy less strict.

With password self-service in place you can take away a lot of frustration from your environment, make password resets more reliable and available to everyone everywhere and at any time. As a result, you can save lots of resources for your organization, in terms of both time and money, that would be otherwise wasted.

See Also