Authentication Web

The Specops Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources. Once you have installed and configured the Gatekeeper, users that are members of the Authentication Admin Group can further configure the solution from the Specops Authentication Web:

US datacenter: https://login.specopssoft.com/authentication/admin
EU datacenter: https://eu.login.specopssoft.com/authentication/admin

For more information and general administration, refer to Specops Authentication Web.

The configuration steps that are specific for Specops Key Recovery are described below.

Key Recovery Policy

Here you can configure the policy mode, as well as configure the policies associated with Key Recovery.

To specify the authentication rules for users, you will have the following policy mode options:

Cloud: All users will have the same authentication rules for key recovery.
Group Policy: Users will have different authentication rules as determined by the Group Policy they are affected by.
Both: Group Policy will be processed first, and the Cloud policy will be applied to users not affected by any Group Policy Object with Specops Key Recovery settings.

Configure a Key Recovery Policy

Login to the Specops Authentication Web and click on Key Recovery in the left navigation.
Click Edit Authentication Rules next to each policy to set its authentication requirements.
Click the plus-icon for those identity services you want to include in the policy.
You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star.
To require the user to use a specific identity service, select Required.
Configure the required weight (stars) for enrollment.
Configure the required weight (stars) for authentication.

Note

The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
Click Save when you are done.

Policy configuration best practice

When configuring policies for multiple Specops applications (uReset, Authentication for O365, Key Recovery, Password Minder) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.

When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.

For more information on enrollment, please refer to the Best Practices document.

Weak identity services

Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:

Security questions
Mobile Code (SMS)
Personal Email

Enrollment security modes

When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.

There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).

Low security Users are only required to provide their Windows password for identification.
Medium security Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password.
High security Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services.

Note

The low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.

Settings for Symantec Endpoint Encryption

From the Symantec Endpoint Encryption tab, you can require a challenge key, and enable BitLocker Key Recovery.

Configure a challenge key (Symantec Endpoint Encryption only)

You can add a Challenge Key field to the Symantec Endpoint Encryption Information page, by selecting the Require challenge key checkbox. If this checkbox is selected, all users with devices encrypted by Symantec Endpoint Encryption will be required to enter a challenge key that can be found on their locked computer’s screen, when they are performing a key recovery.

Enabling BitLocker Key Recovery

If your organization uses BitLocker Key Recovery (managed by Symantec Endpoint Encryption) to protect their computers, you can enable BitLocker Key Recovery.

Settings for BitLocker

From the BitLocker tab, you can enable BitLocker Key Recovery.

Testing the connection

You can test and verify if you are successfully connected to the Symantec Help Desk and Symantec Database, and verify that BitLocker is configured. If the connection is successful, you will see the word Success on the right-hand side.