Specops Authentication: What We Added in H2 2023

Support for Kerberos Integrated Authentication, Improved Fatigue Attack Prevention, New Identity Service & More

Specops Authentication is our platform that secures self-service key recovery and password resets, changes and account unlocks with multi-factor authentication (MFA), via self-service and/or at the IT service desk. The platform powers products like Specops uReset, Specops Secure Service Desk and Specops Key Recovery.

We released a lot for our Specops Authentication platform since our last round-up of the first half of 2023. We’ve added new identity service options for MFA, MFA fatigue attack improvements, support for Kerberos integrated authentication, extended use case for Specops uReset, and more.

Let’s take a look at some highlights.

Support for Kerberos Integrated Authentication

Kerberos integrated authentication is now the default configuration for all new customers setting up the Windows Identity Service as an MFA factor within a Specops Authentication product.

While the Windows Identity Service isn’t applicable for authenticating a user who isn’t logged in and can’t remember their password, the ID service can be helpful in other authentication use cases:

• Helpdesk agent logging in to Specops Secure Service Desk
• End users unlocking computers encrypted or managed by Symantec Endpoint Encryption or Microsoft BitLocker with Specops Key Recovery
• Admins logging into the Specops Authentication web portal to manage MFA policies or system-wide configurations

This new support is well-timed as Microsoft announced plans in October to eliminate NTLM in Windows 11.

Configuring Kerberos integrated authentication for the user will automatically authenticate the user with Windows Identity, and grant the Windows Identity authentication token. Customers can find configuration steps here.

Extended Use Case for Specops uReset – Unlock accounts that have the “cannot change password” AD attribute enabled

Specops uReset customers can now enable users whose accounts have the “cannot change password” attribute enabled to self-unlock their AD accounts. Now, users with “cannot change password” enabled or disabled can self-unlock their AD accounts with Specops uReset.

Customers with end users on shared devices or whose passwords are managed by another service may find this especially useful.

No extra configuration needed, users with an enabled “cannot change password” attribute need only be covered by a Group Policy containing uReset.

More MFA Fatigue Attack Improvements

With many organizations interested in increasing defenses against MFA fatigue attacks (“MFA prompt bombing”), our team continues to improve options for customers looking to carry these defenses to Specops Authentication.

QR code and number challenge for Specops Fingerprint

Customers can now better defend against MFA fatigue or push spam attacks with Specops Fingerprint.

Specops Fingerprint now supports QR code and number challenges to the authentication process for the Fingerprint app as an Identity Service in any Specops Authentication product. Specops Fingerprint users can find configuration steps found here.

Identity Service Additions & Improvements

Specops Authentication customers saw two additions in the second half of the year.

And more

These were just some highlights of improvements and features we added to the Specops Authentication platform since our last round-up. To review everything we added, check out the release notes.

Want to see how some of these features could work for your organization? Contact us.