Overview

Specops Key Recovery is a self-service solution for unlocking computers encrypted or managed by Symantec Endpoint Encryption. A user who is locked out at the pre-boot authentication screen can use Specops Key Recovery to unlock their computer, without calling the helpdesk. For added security, users are verified with multi-factor authentication. The solution supports a number of authentication factors, including Symantec VIP, and Mobile Code (sending a one-time code to a mobile device).

Specops Key Recovery currently supports:

  • Symantec Endpoint Encryption (version 11 and higher)
  • BitLocker managed by Symantec Endpoint Encryption (version 11 and higher)

Central concepts

Pre-boot authentication screen

When a user powers on a computer with full-disk encryption, the pre-boot authentication screen will appear. Windows will not boot up until the user has correctly confirmed their identity on this screen.

Policy

A policy contains the rules required for enrollment and multi-factor authentication when using Specops Key Recovery. A policy controls what identity services can be used, and how many must be used to verify the identity of end-users. The system administrator is responsible for configuring the rules in the policy.

Multi-factor authentication

Multi-factor authentication requires more than one method of authentication from independent categories of credentials : something you know (i.e. password), something you have (i.e. Mobile device), and something you are (i.e. Fingerprint).

The Specops multi-factor authentication model is dynamic. Users can choose which identity services they want to combine for enrollment and authentication, as long as they meet the requirements of the policy.

Identity Services

Identity services enable users to securely identify themselves when signing in. Identity services fall into multiple categories, including: Active Directory username and password, social (Facebook, LinkedIn, Tumblr), and higher trust (Google Authenticator, Microsoft Authenticator, Duo Security).

The following identity services can be used to authenticate users in Specops Key Recovery:

  • Duo Security: With Duo Security, users can authenticate using the Duo Security mobile app.
  • EFOS/SITHS (Sweden): EFOS/SITHS is a smart card-based authentication service, which enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves.
  • Facebook: Users can enroll and authenticate using their Facebook account credentials.
  • Flickr: Users can enroll and authenticate using their Flickr account credentials.
  • Google: Users can enroll and authenticate using their Google account credentials.
  • Google Authenticator: Google Authenticator is an app that generates one-time passwords. A secret is generated and presented in the form of a QR code that the user scans. Google Authenticator then provides users with a six-to-eight-digit one-time password, which must be entered in order to successfully authenticate.
  • LinkedIn: Users can enroll and authenticate using their LinkedIn credentials.
  • Live: Users can enroll and authenticate using their Microsoft Live account credentials. Microsoft Live credentials are used to sign in to the Microsoft Cloud, including: Outlook, Office Online, OneDrive, Skype, Xbox Live, and the Microsoft store.
  • Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. Administrators can customize the notification that is sent, by adding custom information to the request notification. To make use of Manager Identification, each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users.
  • Microsoft Authenticator: Microsoft Authenticator is an app that generates one-time passwords. A secret is generated and presented in the form of a QR code that the user scans. Microsoft Authenticator then provides users with a six-to-eight-digit one-time password, which must be entered in order to successfully authenticate.
  • Mobile Code (SMS): Users will receive a one-time six-digit password via an SMS message, which must be entered in order to successfully authenticate.
  • Mobile BankID (Sweden): If users have the Mobile BankID app, they can use this to verify their identity.
  • Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully.
  • Specops Authenticator: Users can authenticate using the Specops Authenticator app. Users scan a QR code or enter a secret. Specops Authenticator then provides users with a six-digit one-time password, which must be entered in order to successfully authenticate.
  • Specops Fingerprint: Specops Fingerprint enables users to enroll and authenticate using devices with fingerprint scanners, such as smart phones and tablets. Users can press their finger to the fingerprint scanner on their device to instantly identify themselves. Users can also use Face ID to authenticate, if they own an iPhone X and above. In order to use this identity service, users must have the app installed on their mobile device.
  • Symantec VIP: Users can authenticate using the Symantec VIP.
  • Tumblr: Users can enroll and authenticate using their Tumblr account credentials.
  • Twitter: Users can enroll and authenticate using their Twitter account credentials.
Architecture and Design

Specops Key Recovery is a component of the Specops Cloud. Specops Authentication, another component of the Specops Cloud, is used to authenticate to Specops Key Recovery. Authentication rules for accessing Specops Key Recovery can be defined on the Admin pages in the Specops Cloud.

To read user information from Active Directory, the Specops Cloud communicates with the Gatekeeper. The Gatekeeper is installed on a server in your domain. The Gatekeeper reads user information from Active Directory, and manages all operations against Active Directory, such as reading/writing enrollment data.

  1. The user forgets their password, and is locked out at the pre-boot authentication screen. The screen prompts the user to visit Specops Key Recovery on a mobile device.
  2. Specops Key Recovery (keyrecovery.specopssoft.com) redirects the user to Specops Authentication.
  3. Specops Authentication asks the Gatekeeper for the Group Policy Object that affects the user, and obtains the authentication rules to grant access to Specops Key Recovery. The authentication rules are displayed for the user. The user authenticates with various identity services to fulfill the policy, after which, the user is returned to Specops Key Recovery.
  4. Specops Key Recovery asks the Gatekeeper for a list of the user’s devices.
  5. The Gatekeeper asks Symantec Endpoint Encryption for the user’s devices, and a list is returned. The user’s computers are displayed on the key recovery page (keyrecovery.specopssoft.com).
  6. The user selects their locked computer from the list in Specops Key Recovery, and the browser is redirected to the recovery page.
  7. The user enters a sequence number on their mobile device and presses Continue. A key-pair is generated and the public key is sent with the sequence number to the Gatekeeper.
  8. The Gatekeeper asks Symantec Endpoint Encryption for a Recovery Key, based on the information the user has provided.
  9. Specops Key Recovery displays the Recovery Key to the user and instructs them to enter information on their locked computer.
  10. The user enters the Recovery Key on their locked computer. The computer then is unlocked.
  • Was this Helpful ?
  • Yes   No