Password Reset
Account Unlock
Password Expiration
Password Synchronization
Automated Employee Enrollment
Multi-factor authentication
SMS/Text Pin code Authentication
Help Desk PIN Authentication
Multi domain multi forrest and multi organization
Multi-lingual support
Employee Repository Management
Microsoft Active Directory
Password Reset
The FastPass Password Management solution allows your employees to securely reset their forgotten password without calling the help desk.
- The end employee click the “Forgotten Password” button at any login screen
- The End employee is connected to an automated self help web page
- Employees are one-, two- or multi-factor authenticated using challenge/response, a one-time pin-code send to their mobile phone and/or use of a security card
- After authentication is complete, the employee is prompted to enter a new password
-
- The FastPass Password Management solution resets the password in Active Directory in real time according to the AD password policy.
- The password is synchronized to all other applications, databases and/or operating systems.
For more details including screen shots please click here.
Top
Account Unlock
The FastPass Password Management solution allows your employees to securely unlock their accounts without calling the help desk.
- The end employee click the “Forgotten Password” button at any login screen
- The End employee is connected to an automated self help web page
- The End employee clicks the “Unlock Account” button
- Employees are one-, two- or multi-factor authenticated using challenge/response, a one-time pin-code send to their mobile phone and/or use of a security card
- The FastPass Password Management solution unlocks the account, if it has been locked by employee behavior. If it is locked by system administrators, the employees can’t unlock the account.
Top
Password Expiration
If you use 90 days password expiration employees are exposed to Password Expiration. Usually it affects employees that are on maternity leave, educational or recreational leaves, long sick leaves, or, if you are in the educational sector, summer holidays can trigger password expirations problems.
With the FastPass Password Management solutions employees (or students) can reset their password themselves even in a password expirations situation.
Top
Password Synchronization
One of the core features of The FastPass Password Management solution is password synchronization.
Password synchronization is any process or technology that helps employees to maintain a single password, subject to a single security policy, across multiple systems.
Password synchronization is an effective mechanism for addressing password management problems on an enterprise network:
- Employees with synchronized passwords tend to remember their passwords.
- Simpler password management means that employees make significantly fewer password-related calls to the help desk.
- Employees with just one or two passwords are much less likely to write down their passwords.
There are two ways to implement password synchronization:
- Transparent password synchronization, where native password changes, that already take place on a common system (example: Active Directory) are automatically propagated through the password management system to other systems and applications.
- Web-based password synchronization, where employees are asked to change all of their passwords at once, using a web application, instead of continuing to use native tools to change passwords.
The FastPass Password Management solution implements both transparent and web based password synchronization.
Password Synchronization Triggers
Password synchronization is triggered from a password change on Active Directory. According to administrator defined rules, the new password is propagated to systems that are made available as synchronization targets.
FastPass today supplies connectors to:
- Windows
- iSeries (AS/400)
- Linux
- UNIX
- SAP
- Generic *
*A Generic is available for connecting to custom applications. An API and sample code is available.
Top
Automated Employee Enrollment
To facilitate automated employee enrollment, The FastPass Password Management solution includes an auto Discovery Engine and a self-service Enrollment Service.
- Auto-discovery
The FastPass Password Management solution includes an auto-discovery engine, which typically extracts information about employees and groups.
- An auto-discovery engine extracts a full inventory of login IDs from each target system, nightly.
- The auto-discovery engine extracts a list of all available groups from each target system, nightly.
- For groups that have been designated as "managed," the auto-discovery engine also extracts full group membership from the target systems.
- The auto-discovery engine automatically creates, updates and removes employee profiles in the The FastPass Password Management solution, based on the appearance of employee accounts on systems that are considered authoritative sources of The FastPass Password Management solution.
- Auto-reconciliation
Employee objects on different systems are correlated automatically, by matching login IDs or other attributes to create and update employee profiles.
Login IDs on systems where it is impossible to reliably provide automatic reconciliation are stored in an "inventory" table.
- Employee enrollment
Employees who must register supplementary information, such as personal authentication question-and-answer profiles, are automatically prompted to register and receive automatic reminders until they have successfully enrolled. Invitations are sent by e-mail or sms/text-messages. The text in the invitation mails and reminders are defined by the administrator.
Employee enrollment and administration is carried out on a secure web form.
Employees are authenticated and employee-entered data is encrypted using HTTPS.
Employees prove possession of accounts by typing ID/password pairs, which are validated against target systems.
Top
Multi-factor authentication
The The FastPass Password Management solution solution offers functionality to authenticate end-employees in different ways when accessing the solution. For instance, one end-employee can be asked to authenticate with SMS PIN Code and Challenge/Response when executing a Password Reset operation where another employee can be asked to authenticate with just Challenge/ Response when performing the same operation.
The best practice advises for authentication in the “Reset Password” operation is to configure four profiles:
- The first profile allow for password resets for normal employees from physical secured networks only and just using the “Challenge/Response” as authentication method.
- The second profile allow for password resets for high-risk employees from physical secured networks only and then first request “SMS PIN Code” and second, request “Challenge/Response” as authentication method.
- The third profile allow for password resets from any network and then first request “SMS PIN Code” and second, request “Challenge/Response” as authentication method.
- The fourth profile allow for password resets for any employee from any network and then first request “Help Desk PIN Code” and second, request “Challenge/Response” as authentication method. This configuration will allow normal and high-risk employees in secured networks, and employees with a registered mobile number to reset passwords on their own but leave normal employees from untrusted networks or high-risk employees without a registered mobile number to reset password only after being in contact with the Help Desk.
The Authentication Profile definition consists of the following attributes:
- Selected Groups: A list of groups allowed to use the profile. An employee accessing the end-employee interface will be “filtered in” if he is member of one or more of the groups listed in the “Selected Groups” list. This attribute is mandatory. Selected Deny Groups: A list of groups which shall not be allowed to use the profile. A employee accessing the end-employee interface will be “filtered out” if he is member of one or more of the groups listed in the “Selected Deny Groups” list and this even if he is member of a group in the “Selected Groups” list This attribute is mandatory.
- Selected Networks: A list of networks defined in the “Network Settings” which will be used to filter in a employee performing the “Enroll Employee” operation. A employee accessing the end-employee interface will be “filtered in” if the IP address known by the web server as REMOTE_ADDRESS is within the range of the network definition of one or more of the networks listed in the “Selected Networks” list. This attribute is mandatory.
- Selected Authentications: A list of authentication methods to use for authentication when being “filtered in” by the Authentication Profile criteria. A employee accessing the end-employee interface will be prompted to authenticate by the authentication methods in the listed order.
For the “Reset Password” operation the available authentication methods are:
- Challenge/Response
- Help Desk PIN Code
- SMS PIN Code
If the Challenge/Response is selected the employee must have enrolled into the Password Manager solution for this profile to be applicable for the employee. If the SMS PIN Code is selected the employee must have a well-formatted mobile number in the “mobile” attribute in Microsoft Active Directory. If this is not the case the Authentication Profile will not be applicable for the employee.
SMS/Text Pin code Authentication
The SMS PIN Code Authentication Settings page can be used to show or edit the settings for the SMS PIN Code authentication method used in the Password Manager solution.
The SMS PIN Code authentication method can be described as an authentication method where a system will generate a PIN Code and send this to a SMS capable device registered as belonging to the employee and then ask a employee for the PIN Code where the employee must answer correctly before being considered as authenticated.
The Password Manager solution implements the SMS PIN Code authentication method in a way where the system collects the “mobile” attribute for a employee from AD and then uses this as target when sending a PIN Code using rules specified in the configuration.
There are a number of configurable parameters for the Challenge/Response authentication method:
- SMS PIN Code length: This number decides the length of a generated PIN Code. SMS PIN Code Grouping length: This number decides the length of each group of characters when being send, e.g. if configured to 2 and the PIN Code length is set to 6 then the employee will receive a SMS PIN Code looking like ## ## ## but he/she will still have to input it like ######.
- SMS PIN Code Characters: This value decides which characters to use in PIN Codes. By default this value is set to 1234567890 but it can also be extended to a value like 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ or any other characters that is seen as reasonable.
- Max. failed: This number decides how many retries a employee will get before being locked from using the Password Manager solution. If a employee gets locked the only way to get unlocked is to receive and use a Help Desk PIN for enrollment.
- PIN Authentication Timeout: This number decides for how long time (in minutes) a SMS PIN Code will be valid for use.
The SMS PIN Code authentication method relies on a configured SMS Gateway to be functional.
Top
Help Desk PIN Authentication
The Help Desk PIN Code Authentication Settings page can be used to show or edit the settings for the Help Desk PIN Code authentication method used in the Password Manager solution.
The Help Desk PIN Code authentication method can be described as an authentication method where a system will generate a PIN Code that the Help Desk can provide to the employee either by speech or by SMS to a SMS capable device registered as belonging to the employee and then ask a employee for the PIN Code where the employee must answer correctly before being considered as authenticated.
The Password Manager solution implements the Help Desk PIN Code authentication method in a way where the system collects the “mobile” attribute for a employee from AD and then uses this as target when sending a PIN Code randomly generated using rules specified in the configuration.
Configurable Challenge/Response
The Challenge/Response Settings page can be used to show or edit the settings for the Challenge/Response authentication method used in the Password Manager solution. The Challenge/Response authentication method can be described as an authentication method where a system will ask a employee for the answers to one or more questions where the employee must answer correctly to all of them before being considered as authenticated.
The Password Manager solution implements the Challenge/Response authentication method in a way where the system offers a number of questions that employees can select among and give the answer to. This happens as part of the “Enroll Employee” and “Enroll Employee (Help Desk PIN)” operations.
There are a number of configurable parameters for the Challenge/Response authentication method:
- # Challenges for enrollment: This number decides how many questions the employee shall point out and specify the answers for in the enrollment process.
- # Challenges for authentication: This number decides how many of the registered questions the employee shall be asked to answer in the authentication process. This number will of course have to be less or equal to the number of registered questions and all answers needs to be exactly specified as when they were registered.
- Max. Failed: This number decides how many retries a employee will get before being locked from using the Password Manager solution. If a employee gets locked the only way to get unlocked is to receive and use a Help Desk PIN for enrollment.
- Min. answer length: This number decides the minimum length of answers specified to the questions at the time of registration.
- Max. answer length: This number decides the maximum length of answers specified to the questions at the time of registration.
- Storage Mode: This value decides how answers are stored in the Password Manager data repository. The options are:
- Hashed: A none-reversible method that generates a MD5 hash for the answer. This is generally not considered as very secure and shall not be used unless the answers shall be used in integrations with other systems.
- Encrypted: A revisable method that encrypts the answer. This is considered as secure but shall only be used if the revisable behavior is desired.
- Combined: A none-revisable method combing the Hashed and the Encrypted methods. This is the recommended (Default) value.
The Password Manager solution uses a fall back mechanism at the time of authentication so that the registered answers are examined before validation of the given answers. This means that changing of Storage Mode will not have consequences for already enrolled employees.
Top
Multi domain multi forrest and multi organization
The FastPass Password Management solution offers support for large Active Directory environments including support for multiple organizations..Multi-organization support is implemented hierarchical so that sub-organizations can be implemented in any number of levels each having their own settings but being easily managed by Password Manager Administrators.
Most installations will only use 1 organization. Service Providers, Outsourcing companies and the like are in need for the multi-organization feature.
The Organization Main page in the Administration Client contains a “Sub Organizations” table listing all organizations defined directly below the currently selected organization. The Organization definition consists of the following attributes:
- Name: The name that will be used throughout the Password Manager solution (e.g. in the Self-Service Client shown in the default layout this is shown in the upper left corner of the content area).
- Type: The type of the organization is either “Master Organization” or “Sub Organization”. Currently there is no difference between the two types bit future version will make differentiation in administrative access and license handling.
- Description: A description for the Organization.
- Max. Domains: A counter for how many Employee Repositories that can be created directly under the organization. Notice that this setting can be set out of effect by the license file.
- Max. Employees: A counter for how many employees that can be discovered in all Employee Repositories directly under the organization. Notice that this setting can be set out of effect by the license file.
Top
Multi-lingual support
All text presented to the employee including the “Forgot Password” button at the logon prompt is available multilingual in a real time. All texts are displayed in the language setting in the employees browser. If the selected language is not available the default language is English.
The FastPass Password Management solution supports the following seven languages:
- English
- French
- German
- Spanish
- Danish
- Dutch
- Norwegian
- Swedish
Additional languages are easy to add and will be added on request.
Top
Employee Repository Management
The FastPass Password Management solution uses the term “Employee Repository” for commonly describing the target systems of employee and password operations. Examples of Employee Repositories are Microsoft Active Directory, SAP, IBM iSeries (AS/400), LDAP, Microsoft SQL and Oracle. The Password Manager solution currently supports Microsoft Active Directory as the primary source system and for target systems other types than Microsoft Active Directory are only supported if the Password Sync component version 3.1.7 or higher is also installed on the Password Manager server.
Top
Microsoft Active Directory
The integration of Microsoft Active Directory requires two types of information. First the Connection Settings and secondly the Security Settings needs to be defined. The Connection Settings defines how to access the Microsoft Active Directory infrastructure and the Security Settings defines which groups from the Active Directory are to be used in the remaining configuration. The Security Settings could also be said to be the Access Control for the Password Manager end-employee interfaces for access of accounts in the domain accessed by the Employee Repository configuration.
Top
.png)
