The process of changing a forgotten password. A password reset can be performed by a user who verified their identity using multi-factor authentication. The user can reset their passwords using the uReset web, which can be accessed from any (non-ancient) web browser, including mobile phone browsers.
Specops uReset goes beyond two-factor authentication by supporting a broad range of identity services that can be used to increase password reset security and flexibility. The solution not only supports common authenticators, such as questions and answers, and mobile verification codes, but also various digital identity services ranging from personal identity services (e.g. LinkedIn) to company identity services (e.g. salesforce.com), in addition to higher trust methods such as Smart Cards. The helpdesk can also use multifactor authentication when assisting users with account unlock and/or password reset, by requiring them to use their enrolled identity services to verify their identity.
IT administrators can select, based on role and security policy, which identity services/authenticators they want to extend to end-users to verify their identity when resetting or unlocking their accounts. Such flexibility can ensure that varying security and flexibility needs are met. For example:
- For users that have a low-level security clearance, but a high flexibility need, such as students, IT admins can allow them to authenticate with a few personal identity services such as their Google and Facebook ID.
- For users that have a higher level security clearance, such as financial aid administrators or senior level executives, IT admins can assign policies that enforce a higher number, or a stronger combination of identity services. This approach provides administrators with the flexibility they need to enforce policies that translate to greater security and efficiency.
To use various identity services to authenticate users, the identity service must be configured (enabled) in the administration console, and the user affected by the uReset policy must enroll in the uReset service. Once a user has enrolled, they can reset their password using the uReset Web Application (via a hyperlink on the login screen or on any modern browser) or the uReset Mobile App (iOS, Android or Windows Phone). The Specops uReset Server uses data from user objects in Active Directory to read and write information used in the system.
The following identity services can be used to authenticate users in Specops uReset:
Standard Identity Services
- Question and Answer (Security Questions)
- Username & Password
- Windows Integrated Authentication
Social, SaaS, Email Identity Services
Higher Trust Identity Services
- Manager Identification
- Specops Authenticator
- Google Authenticator
- Microsoft Authenticator
- Specops Fingerprint Authenticator
- Mobile Verification Code (SMS)
- Mobile Verification Code (Email)
- Duo Security
- Symantec VIP
- Mobile BankID (Sweden)
- SITHS Smart Cards (Sweden)
Users are required to enroll with the uReset service. The enrollment process will vary for each type of identity service. To enroll with a personal identity service such as Google, the user will need to follow the link from the Specops uReset web application to the Google web page, and login with the email address and password associated with your Google account. When a user affected by a uReset policy utilizing Google enrolls in the service, a unique identifier is stored on the user object in Active Directory.
A policy contains the rules required for enrollment and multi-factor authentication. A policy controls what identity services can be used, and how many must be used to verify the identity of a user. The system owner is responsible for configuring the rules in the policies.