Overview

Specops Secure Service Desk provides all the tools necessary for your service desk agents to help users calling in with authentication problems. Agents can help users reset their passwords or unlock their computers (if encrypted with BitLocker™ or Symantec Endpoint Encryption™) in a secure and easy to use environment. The Secure Service Desk also holds user information and statistics.

Central Concepts

Identity Services

Specops Secure Service Desk works on a principle of pre-enrollment. This means for the most part that user enrollment occurs by defining attributes in Active Directory. However, if you use Secure Service Desk with other Specops products, such as Specops uReset, the identity services defined in those policies can be used for Secure Service Desk as well.

To use various identity services to authenticate users, the identity service must be configured (enabled) in the administration console, and the user affected by the uReset policy must enroll in the uReset service. Once a user has enrolled, service desk agents can use the identity services in the policy to verify users’ identity.

Identity services enable users to securely identify themselves when signing in. Identity services fall into multiple categories, including: username and password, social ( LinkedIn, Tumblr), and higher trust ( Google Authenticator, Microsoft authentic, Duo Security Security).

To use various identity services to authenticate users, the identity service must be configured (enabled) in the administration console, and the user affected by the uReset policy must enroll in the uReset service. Once a user has enrolled, they can reset their password using the uReset Web Application (via a hyperlink on the login screen or on any modern browser). Specops uReset uses data from user objects in Active Directory to read and write information used in the system.

Below is a list of all the identity services available in Specops Authentication.

Standard

  • Specops Fingerprint: Specops Fingerprint enables users to enroll and authenticate using devices with fingerprint scanners, such as smart phones and tablets. Users can press their finger to the fingerprint scanner on their device to instantly identify themselves. Users can also use Face ID to authenticate, if they own an iPhone X and above. In order to use this identity service, users must have the app installed on their mobile device.
  • Specops Authenticator: Users can authenticate using the Specops Authenticator app. Users scan a QR code or enter a secret. Specops Authenticator then provides users with a six-digit one-time password, which must be entered in order to successfully authenticate.
  • Mobile Code (SMS): Users will receive a one-time six-digit password via an SMS message, which must be entered in order to successfully authenticate.
  • Email: the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. Email does not require enrollment, since it references the email address in the email attribute in AD (or any other attribute if it is overridden); it can only be used with domains associated with Specops Authentication .
  • : the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. has to be registered at enrollment by the user and they may use any email address of their choosing.
  • Trusted Network Locations: Trusted Network Locations is an identity service that allows administrators to designate certain IP ranges as Trusted Network Locations.
  • Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. Administrators can customize the notification that is sent, by adding custom information to the request notification. To make use of Manager Identification, each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users.
  • Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully.

3rd Party

NOTE
In most cases, enrollment with third party identity services needs to be handled by users individually.
  • PingID: With PingID, users can authenticate using the PingID mobile app.
  • Duo Security: With Duo Security, users can authenticate using the Duo Security mobile app.
  • Freja: With Freja, users can authenticate using the Freja mobile app.
  • Okta Users can enroll and authenticate using their Okta account credentials. This can be done through the Okta app and by sending codes via text message.
  • Symantec VIP: Users can authenticate using the Symantec VIP mobile app.
  • Google Authenticator: Google Authenticator is an app that generates one-time passwords. A secret is generated and presented in the form of a QR code that the user scans. Google Authenticator then provides users with a six-to-eight-digit one-time password, which must be entered in order to successfully authenticate.
  • Microsoft Authenticator: Microsoft Authenticator is an app that generates one-time passwords. A secret is generated and presented in the form of a QR code that the user scans. Microsoft Authenticator then provides users with a six-to-eight-digit one-time password, which must be entered in order to successfully authenticate.
  • SITHS eID (Sweden): SITHS eID is a smart card-based authentication service, which enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves.
  • Mobile BankID (Sweden): If users have the Mobile BankID app, they can use this to verify their identity.
    NOTE
    Users will have to scan a QR code in the Mobile BankID app in order to authenticate with this identity service.
  • Yubikey: The Yubikey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function). For more information on Yubikey, refer to the Yubikey page.

Federated

  • Google: Users can enroll and authenticate using their Google account credentials.
  • Microsoft Live: Users can enroll and authenticate using their Microsoft Live account credentials. Microsoft Live credentials are used to sign in to the Microsoft Cloud, including: Outlook, Office Online, OneDrive, Skype, Xbox Live, and the Microsoft store.
  • Tumblr: Users can enroll and authenticate using their Tumblr account credentials.
  • Flickr: Users can enroll and authenticate using their Flickr account credentials.
  • LinkedIn: Users can enroll and authenticate using their LinkedIn credentials.

Policy

A policy contains the rules required for enrollment and multi-factor authentication. A policy controls what identity services can be used, and how many must be used to verify the identity of a user. The system owner is responsible for configuring the rules in the policies.

Note that policies for Secure Service Desk only apply to service desk agents, not to users. End users need to be pre-enrolled with all associated identity services in order to be able to verify their identity.

Architecture and Design

Specops Secure Service Desk is natively integrated with Active Directory. Configuration of the system is done using Group Policy, without introducing added complexity to your environment. This means that no external database is required to store password related information. User data is stored directly in Group Policy user objects, minimizing security risk while ensuring inherent real-time password provisioning.

Specops Secure Service Desk consists of the following components and does not require any additional resources in your environment. The authentication backend, web, and identity services are hosted in the cloud. You will only need to install the Gatekeeper component.

Alt text for this image

Authentication Cloud: The global cloud component of uReset, the authentication cloud contains the web (front-end for end users) and the backend services.

Secure Service Desk: Contains the front-end for end-users, and administrators. The Secure Service Desk can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for various resources, including uReset.

Authentication Backend: To read user information from Active Directory, the backend communicates with the Gatekeeper. The web and identity services also communicate with the backend. The authentication backend validates a user’s identity based on the tokens from individual identity services.

Gatekeeper: The Gatekeeper needs to be installed on a server in your domain. The Gatekeeper reads user information from Active Directory, and manages all operations against Active Directory, such as reading/writing enrollment data.

Identity services: An entity that can validate a user’s identity in Secure Service Desk. The tokens from individual identity services are used by the backend to validate a user’s identity.

Some of the identity services that are used during authentication, such as Google are external. When an external identity service is used, the user is sent to the identity service, and asked to give Specops consent to access their personal information, such as their username. The information from the consent allows the creation of the token that is used for authentication. Note that since Secure Service Desk works on the principle of pre-enrollment, not all identity services are available for user verification.

Token: A token or a security token is a carrier of information about a user and about the issuer of the token. The information about a user is a set of statements. The claims about a user can for example be the name of the user, ID of the customer it belongs to and what roles a user has in its organization.

Features and Capabilities

Reporting

The Secure Service Desk Reporting feature allows you to track your enrollment process and provides several reports on service desk calls, events, and computer unlocks and password resets.

Notifications

When resetting a user’s password, notifications (containing the new password) can be sent via mail or text message. When verifying a user’s identity, both email and text message can be used as well.

Weighted Identity Services

Note that weighted identity services can only be used for Secure Service Desk for multi-factor authentication for service desk agents. In cases where Secure Service Desk is used in conjunction with Specops uReset, the identity services in uReset policies can also be weighted.

Administrators can assign a specific weight for each identity service, ultimately deciding that one identity service is worth twice as much as another during authentication. In the user interfaces, for both the end users and administrator, the weights are represented by stars.

Multifactor Authentication for Administrators and Helpdesk users

Users that are a part of the Administrators and Helpdesk group can use multifactor authentication to verify their identity when accessing the Administrator / User Management pages on the Secure Service Desk.

Mobile Applications

Specops Authenticator

The Specops Authenticator app is a high trust identity service, which turns the mobile device into a secure token device. The app generates a secret code that users must provide in addition to their username when authenticating their identity during a password reset. The codes generated are based on industry standard Time-Based One-Time Password Algorithm security tokens as such Specops Authenticator can work with both Google and Microsoft Authenticators.

Specops Fingerprint

The Specops Fingerprint app allows you to authenticate for user verification using either the Touch ID fingerprint recognition or Face ID feature integrated into your iOS, or the Fingerprint API scan feature integrated into your Android 6.0 or newer operating system.