The content here is intended for uReset customers using the Authentication Gatekeeper (version 8.0 or later). uReset customers using the uReset Gatekeeper (version 7.12 or earlier), can find their relevant documentation here.
Specops uReset leverages the claims-based identity model to provide flexible multi-factor authentication to strengthen password reset security, while minimizing impact on end-users. The solution extends uReset functionality with additional languages, Gatekeeper redundancy, as well as the ability to extend enrollments to the Office 365 login, if the O365 feature is enabled.
The process of changing a forgotten password. A password reset can be performed by a user who verified their identity using multi-factor authentication. The user can reset their passwords using the uReset web, which can be accessed from any (non-ancient) web browser, including mobile phone browsers.
Specops uReset goes beyond two-factor authentication by supporting a broad range of identity services that can be used to increase password reset security and flexibility. The solution not only supports common authenticators, such as questions and answers, and mobile verification codes, but also various digital identity services ranging from personal identity services (e.g. LinkedIn) to company identity services (e.g. salesforce.com), in addition to higher trust methods such as Smart Cards. The helpdesk can also use multifactor authentication when assisting users with account unlock and/or password reset, by requiring them to use their enrolled identity services to verify their identity.
IT administrators can select, based on role and security policy, which identity services/authenticators they want to extend to end-users to verify their identity when resetting or unlocking their accounts. Such flexibility can ensure that varying security and flexibility needs are met. For example:
- For users that have a low-level security clearance, but a high flexibility need, such as students, IT admins can allow them to authenticate with a few personal identity services such as their Google and Facebook ID.
- For users that have a higher level security clearance, such as financial aid administrators or senior level executives, IT admins can assign policies that enforce a higher number, or a stronger combination of identity services. This approach provides administrators with the flexibility they need to enforce policies that translate to greater security and efficiency.
Identity services enable users to securely identify themselves when signing in. Identity services fall into multiple categories, including: username and password, social (Facebook, LinkedIn, Tumblr), and higher trust (Google Authenticator, Microsoft authentic, Duo Security).
To use various identity services to authenticate users, the identity service must be configured (enabled) in the administration console, and the user affected by the uReset policy must enroll in the uReset service. Once a user has enrolled, they can reset their password using the uReset Web Application (via a hyperlink on the login screen or on any modern browser). Specops uReset uses data from user objects in Active Directory to read and write information used in the system.
The following identity services can be used to authenticate users in Specops uReset:
Identity services included in the uReset Hybrid Edition
- Specops Fingerprint: Specops Fingerprint enables users to enroll and authenticate using devices with finger print scanners, such as smart phones and tablets. Users can press their finger to the fingerprint scanner on their device to instantly identify themselves. Users can also use Face ID to authenticate, if they own an iPhone X and above.
- Specops Authenticator: Specops Authenticator is a two-step verification service. Users can download the Specops Authenticator app on their mobile phone and link it to the email address associated with their Office 365 account, by scanning a QR code. Specops Authenticator then provides users with a six-digit one-time security token, that must be entered in order to successfully authenticate.
- Mobile Code (SMS): If users choose to enroll with Mobile Code, they must enter their mobile phone number. They will then receive a one-time four-digit code via an SMS message, which must be entered in order to successfully authenticate.
- Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully. This identity service is fully configurable. Administrators can determine:
- How many questions a user must answer.
- The number of failed attempts a user can make before being locked out.
- How long as user is locked out for.
- The minimum character length per answer.
- The language of the questions.
- Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. This identity service is fully configurable, meaning administrators can decide on the content of the authentication request notification and whether a manager must authenticate before they can approve an authentication request. Each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users.
Identity services included in the uReset Third-Party Authentication package
- Google Authenticator: Google Authenticator is a two-step verification service. Users can download the Google Authenticator app on their mobile phone and then link it to the email address of their Office 365 account, by scanning a QR code. Google Authenticator then provides users with a six-to-eight-digit one-time security token, that must be entered in order to successfully authenticate. For more information, click here.
- Microsoft Authenticator: Microsoft Authenticator is a two-step verification service. Users can download the Microsoft Authenticator app on their mobile phone and link it to the email address associated with their Office 365 account, by scanning a QR code. Microsoft Authenticator provides users with a six-digit one-time security token, that must be entered in order to successfully authenticate. For more information, click here.
- Mobile BankID (Sweden): If users live in Sweden, Mobile BankID can be used to authenticate. A mobile Bank ID is a six-digit code that is created when signing up for a bank account. If a user chooses Mobile Bank ID, they must enter this six-digit code to successfully authenticate. For more information, click here.
- EFOS/SITHS (Sweden): EFOS/SITHS is a smart card-based authentication service, that enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves.
- Duo Security: Duo security is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Duo mobile app. They must then enter the code to successfully authenticate.
- Symantec VIP: Symantec VIP is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Symantec VIP mobile app. They must then enter the code to successfully authenticate.
Identity services included in the uReset Federation Package:
- Live: Users can enroll and authenticate using their Microsoft Live account credentials. Microsoft Live credentials are used to sign in to the Microsoft Cloud, including: Outlook, Office Online, OneDrive, Skype, Xbox Live, and the Microsoft store. For more information about Microsoft Live credentials, click here.
- LinkedIn: Users can enroll and authenticate using their LinkedIn credentials. These credentials consist of the email address and password used to sign in to a LinkedIn account.
- Google: Users can enroll and authenticate using their Google account credentials. These credentials consist of the email address and password used to sign in to a Google account.
- Facebook: Users can enroll and authenticate using their Facebook account credentials. These credentials consist of the email address and password used to sign in to a Facebook account.
- Twitter: Users can enroll and authenticate using their Twitter account credentials. These credentials consist of the email address and password used to sign in to a Twitter account.
- Tumblr: Users can enroll and authenticate using their Tumblr account credentials. These credentials consist of the email address and password used to sign in to a Tumblr account.
- Flickr: Users can enroll and authenticate using their Flickr account credentials. These credentials consist of the email address and password used to sign in to a Flickr account.
Users are required to enroll with the uReset service. The enrollment process will vary for each type of identity service. To enroll with a personal identity service such as Google, the user will need to follow the link from the Specops uReset web application to the Google web page, and login with the email address and password associated with your Google account. When a user affected by a uReset policy utilizing Google enrolls in the service, a unique identifier is stored on the user object in Active Directory.
A policy contains the rules required for enrollment and multi-factor authentication. A policy controls what identity services can be used, and how many must be used to verify the identity of a user. The system owner is responsible for configuring the rules in the policies.
Architecture and Design
Specops uReset is natively integrated with Active Directory. Configuration of the system is done using Group Policy, without introducing added complexity to your environment. This means that no external database is required to store password related information. User data is stored directly in Group Policy user objects, minimizing security risk while ensuring inherent real-time password provisioning.
Specops uReset consists of the following components and does not require any additional resources in your environment. The authentication backend, web, and identity services are hosted in the cloud. You will only need to install the Gatekeeper component.
Authentication Cloud: The global cloud component of uReset, the authentication cloud contains the web (front-end for end users) and the backend services.
Authentication Web: Contains the front-end for end-users, and administrators. The Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for various resources, including uReset.
Authentication Backend: To read user information from Active Directory, the backend communicates with the Gatekeeper. The web and identity services also communicate with the backend. The authentication backend validates a user’s identity based on the tokens from individual identity services.
Gatekeeper: The Gatekeeper needs to be installed on a server in your domain. The Gatekeeper reads user information from Active Directory, and manages all operations against Active Directory, such as reading/writing enrollment data.
Identity services: An entity that can validate a user’s identity in uReset. The tokens from individual identity services are used by the backend to validate a user’s identity.
Some of the identity services that are used during authentication, such as Facebook, or Google, are external. When an external identity service is used, the user is sent to the identity service, and asked to give Specops consent to access their personal information, such as their username. The information from the consent allows the creation of the token that is used for authentication.
Token: A token or a security token is a carrier of information about a user and about the issuer of the token. The information about a user is a set of statements. The claims about a user can for example be the name of the user, ID of the customer it belongs to and what roles a user has in its organization.
Note: No personally identifiable data or passwords are included in the tokens.
Features and capabilities
The uReset Reporting feature allows you to track your enrollment process and provides several reports on enrollments, events, and identity service utilization.
The uReset web application contains several customization features which give you control over the Specops uReset end user interface. You can customize the graphical elements of the Specops uReset web application including main logo, and main style (allowing you to set your own styles by using a custom bootstrap CSS). You can also customize the text displayed to the end user, for all supported languages.
The User Management menu can be used to verify the accounts of users, using any of their enrolled identity services, or by sending a text message, containing a code, to the user’s mobile phone. Once a user has been verified, the helpdesk can set a new password, and require the user to change their password at next logon.
Specops uReset contains several notification options to remind users to enroll and encourage self-service. The notification method is controlled through GPO settings. Specops uReset supports email and SMS notifications when certain system events occur, such as a user enrolling with the system. Specops uReset has the ability to generate and send emails to end users to confirm that the operation was successful.
Weighted Identity Services
The uReset multi-factor authentication engine allows the administrator to assign a specific weight for each identity service, ultimately deciding that one identity service is worth twice as much as another during authentication. In the user interfaces, for both the end users and administrator, the weights are represented by stars.
Multifactor Authentication for Administrators and Helpdesk users
Users that are a part of the Administrators and Helpdesk group can use multifactor authentication to verify their identity when accessing the Administrator / User Management pages on the Authentication Web.
The Specops Authenticator app is a high trust identity service, which turns the mobile device into a secure token device. The app generates a secret code that users must provide in addition to their username when authenticating their identity during a password reset. The codes generated are based on industry standard Time-Based One-Time Password Algorithm security tokens as such Specops Authenticator can work with both Google and Microsoft Authenticators.
Specops Password Reset
uReset contains a mobile application, available in Windows Store, Google Play, and App Store, that can be used as a secure alternative to reset passwords and unlock accounts. The mobile app is available to any organization that permit users to reset their password remotely.
Specops Fingerprint Authenticator
The Specops Fingerprint Authenticator app allows you to authenticate to the uReset password reset service using either the Touch ID fingerprint recognition feature integrated into your iOS, or the Fingerprint API scan feature integrated into your Android 6.0 or newer operating system.