FastPass Enterprise Password Manager

PASSWORD SELF-SERVICE AND FACILITATED PASSWORD RESET

with 90% user adoption

FastPass enterprise password manager covers the important password manager processes for self-service of passwords with a compliant and secure process for the facilitated password reset process in the service desk. The results are high productivity and ease-of-use for all types of corporations.

Self-service of passwords

How do you help users handle the issue of forgotten and locked passwords? In modern work-life, they want to log-in 24 hours 7 days a week. Most companies don’t have continued availability from the IT service desk due to cost.

The answer is a password self-service. 

When it comes to self-service of passwords for all users FastPass Enterprise Password Manager is a complete choice. To be successful in user adoption many details must be present:

Enrollment: FastPass can enforce the majority of users to enroll. For users and situations where forced enrollment is impossible, an automatic email based enrollment service will invite and get the remaining users on-board.

FastPass covers all types of passwords (Windows / SAP/ Oracle / IBM i, etc.)

Access from all types of devices and situations. Even from a locked PC on a domain or even from an external network. Smartphones and tablets have special needs that must be covered as well (BYOD)

IT security must be protected by flexible choices for authentication from users. Single and 2-factor authentication can be specified depending on the situation. The user can choose between standard questions, individual questions, SMS contact, private e-mail contact, code-cards, and other methods. FIDO authentication is planned for coming release.

It is important that end-users individually and easy can use their native language – with more than 20 languages FastPass can accommodate most users.

Security and compliance of password processes

When users forget passwords, they call the service desk to get a new password to get back to their work. It happens every day many times in most service desks. But how does your service desk prevent that passwords are passed on to a wrong individual? Do you have a password reset manager assisting the service desk?

According to a Service Desk Institute research, 35% of organizations do not have management decided process – each analyst must make his own. Does this make us secure?

Current password self-service solutions rely heavily on traditional forms of authentication, particularly security questions, with only 7% of implemented solutions offering more innovative authentication methods.

FastPass Enterprise Password Manager offers a complete vision and solution for the password reset process based on the following basic components:

The majority of end-user password problems must be handled by the end-user through FastPass self-service of forgotten passwords

The few remaining manual calls must then be managed in a compliant process based on manager defined process. It must never be possible for a single person in a service desk to do a password reset directly to Active Directory or any other user repository. FastPass Password Compliance Manager controls the agent´s actions – and the process must be monitored. All authentication steps must be defined in FastPass, and a 2-person process can be forced for the users’ with access to highly sensitive applications. All actions are of course registered for monitoring purposes.

FastPass Compliance Manager

Even in good self-service implementation around 5-30% of users can’t for various reasons do self-service and will call the service desk. The service desk produces a PIN-code for enrollment to the FastPass self-service. After the enrollment then the user can do a compliant password reset.

Companies must decide how the PIN-code can be double checked and delivered to the end-user. The point is, that it must not be possible for a single person alone in the service desk to decide how to authenticate the end-user and deliver the PIN-code to a calling person! All steps related to the PIN-code must be logged as part of the defined authentication and delivery process. We recommend that service desk assistants should no more have privileged access to the users’ passwords in Active Directory.

Ideal and realistic password compliance relies on:

  • The majority of users use self-service when a password is forgotten
  • No privileged rights for AD password reset to the service desk
  • Assisted password reset is either:
    • a predefined authentication process performed by the agent controlled by FastPass
    • A predefined 2-person process controlled by FastPass

Solutions for all large organizations

FastPass covers the important password manager processes for self service of passwords with a compliant and secure process for the facilitated password reset process in the service desk. The results are high productivity and ease-of-use for all types of corporations.

FastPass covers all types of passwords (Windows / SAP/ Oracle / IBM i, etc.). FastPass supports Active Directory and Azure Active Directory users.

Choose FastPass password reset solution.

Depending on customers’ requirements we notice patterns in the choices for the various FastPass offerings:

Price variance depends on functional requirements and user-count. The customer is able to choose between purchase and subscription agreements. To get an individual quote, please contact us or our partners.

All the FastPass solutions are WEB-application secure according to industry security standards:

  • OWASP
  • PCI
  • SANS CYBER

FastPass Enterprise Password Manager facts:

  • FastPass delivers strong authentication
  • FastPass  invites and enforces all selected users to enroll
  • Even passwords on remote PCs’ cache can be reset
  • FastPass can work with multiple AD and Forests
  • Integration with service management systems
  • HelpDesk client to support the service desk employee when assisting end-user calls
  • Enabled for visually impaired persons (W3C Web A.G.)
  • Support for some end-point encryption solutions
  • Different processes for different user groups
  • Password reset for different password types: SAP, IBM, iSeries, Oracle, Google, special passwords
  • Password synchronization for different password types: SAP, IBM, iSeries, Oracle, Google, KMD

More about Enterprise Password Manager

END-USER ROLE

Self-service functionality for end-users:
  • Password reset for forgotten passwords
  • Password unlock
  • Password change using active password
  • Enrollment to the self-service giving information for authentication in self-service
  • Language decided by Windows/browser choice or user’s individual choice from a selector. More than 20 end-user languages.
Enrollment of end-users to the password manager:
  • Forced enrollment for users on domain PCs. Requires FastPass PC-client
    • Configurable when to be active. Different choices of user actions.
  • Automatic e-mail service to users to enroll
    • Configurable when to send invitation and when to send reminders
    • Customer makes text for different languages and different user groups.
  • Corporate data
    • Data available in customer’s system like mobile-phone number and corporate data can be imported or be used directly by FastPass. In some situations users, don’t need to enroll.
End-user access to enterprise password manager:
  • On domain from PC before Windows log-in: FastPass PC-client
  • External net from PC before Windows log-in: FastPass PC-client. FastPass even reset password on PC-cache. Requires customer VPN and internet connection. Can be WIFI connection
  • WEB-portal intranet
  • Webportal extranet
    • PC
    • Smartphones (iOS, Android)
    • Tablets (iOS, Android)
Account protection in the password manager solution:
  • FastPass locks after X attempts
    • Can only be reopened by Service Desk Role
  • Requires security certificate on device
  • Can be limited to specific IP-addresses
  • Only available for active AD user-ids
  • Notification to end-users when their FastPass account is being used
Password expiration notification:
  • Users can be notified before AD password expiration
  • In particular valuable for remote users
  • Smartphone and tablet users can change passwords directly on portal
Corporate password types – different connectors:
  • Covers most popular corporate password types:
    • Oracle
    • SAP
    • IBM Z
    • IBM ISeries, AS400
    • SQL
    • LDAP
    • Google corp
    • Generic connectors for other types of applications
  • Password reset as above is available
  • Synchronization from AD to any and all of the connectors
End-user authentication when using the corporate password manager:
  • Semi-private questions
    • Standard list controlled by administrator
    • Number of questions for authentication configured by administrator
    • Number of questions for enrollment configured by administrator
    • Questions and answers encrypted
    • Question and answers visible by privileged persons like service desk agents
  • Private questions
    • Standard list as above
    • Questions formulated by the end-user herself
    • Data are encrypted and hashed
    • Answers not available for any-one
  • SMS
  • Private e-mail
  • AD user-id authentication
    • For authentication for other password types than AD then password for AD user-id can be used
  • Code-card
    • Printed small card with coordinates
    • The user is asked to enter specific coordinates proving that he has this card
  • Out-of-band (OOB) authenticators
    • Google authenticator
    • Microsoft authenticator
  • 2-factor authentication
    • Administrator can configure two different types to be used in combination, and both must be OK
    • Can be configured for external net and not for internal users
    • Can be configured for some user groups
    • Can be configured to be active at certain time intervals (like night and week-ends)
  • User’s free choice
Multi-lingual support:

All text available for the users is available in ‘local’ language for the user. The language is automatically selected based on the browser, or can be selected directly by each user.

  • English
  • French
  • German
  • Spanish
  • Danish
  • Finnish
  • Dutch
  • Chinese / Mandarine
  • Japanese
  • Portuguese
  • Polish
  • Italian
  • Norwegian
  • Swedish
  • Welsh
  • Brazilian
  • Lithuanian
  • Estonian
  • Latvian

Additional languages will be easily added on request.

Enabled for visually impaired persons (W3C Web A.G.) (optional)

SERVICE DESK ROLE

ADMINISTRATOR ROLE AND GENERAL DESCRIPTION

  • Authenticate users calling for assisted service
    • Use system information
    • Use semi-private Q/A
  • Issue a PIN code for end-user enrollment to FastPass self-service. User can then reset the password herself
  • Can reset and un-lock passwords
  • Un-locks FastPass end-user accounts
  • The FastPass administrator configures and monitors the application
  • Configures network access
  • Writes and modifies user assistance text and field text
  • Configures enrollment process
  • Monitors management statistics and log-files
  • Configures SMS services (internal service or external WEB-service)

SECURITY FOR FASTPASS PASSWORD MANAGER

The security of a software application does not only depend on the software; but also on the complete security of the IT-infrastructure. When it comes to IT-infrastructure FastPassCorp cannot dictate to customers how to configure. We will however promise that we in documentation and consulting recommendations will inform how you can configure your IT-system to protect your FastPass data and processes in your infrastructure.

Protecting the integrity of data
  • Using SSL to connect to AD makes the communication secure. Requires Security Certificate where encryption is RSA with key 2048 or 4096 bits.
  • Internal system encryption is based on AES256 which is the strongest with .net
  • Sensitive data are stored in the database using encryption is based on AES256 which is the strongest with .net.
  • User data can be hashed in addition to encryption to completely protect user data.
  • All sensitive data such as the users’ answers and questions are all AES 256 Bit encrypted.
  • The FastPass TrackEngine makes sure no one can intercept and repost data.
  • Internal communication from Front-end to Back-end to Gateway is only possible using trusted SSL certificates and only from selected IP addresses
  • Password can be stored encrypted (AES 256Bit Encrypted) in the FastPass Database. This enables a set of features to tighten security regarding password history. For example the minimum number of differences to any previously used password.
Protecting the Windows PC Client
  • Windows Client has three security levels to prevent any intruders:
    • URL restrictions. The client will only communicate with the FastPass server
    • Keyboard restrictions
    • Process restrictions (Level 1 imposed by Windows, Level 2 imposed by the Windows Client C and .Net level code)
Preventing access to user’s FastPass account
  • Notification to the user of authentication attempts using Question/Answers
  • A user cannot answer the same challenge question twice or have the same answers
  • FastPass always checks if a user is still enabled and active in AD before the user can use FastPass (FastPass does not enable users)
  • After 3 failed attempts users are locked in FastPass (not in AD), Service Desk assistance is needed to unlock the account again.
  • CAPTCHA protection against robotic attempts is included.
The Best Practices for security and protection of FastPass access will include the following actions:
  • The fundamental component is the installation of FastPass WEB-services in DMZ.
  • Hardening of the DMZ-server according to the FastPass Hardening documentation
  • Demand 2-factor authentication for users coming from WAN
  • User notification of password reset
  • Notify users via SMS and e-mail that their FastPass account has been used – eg. when authentication fails.
  • Use only SSL/TLS versions that are PCI-Compliant
For extra secure environments, the following aspects can be evaluated
  • Only allow access to through the Windows Client on remote PCs (Blocks the browser interface)
  • Demand remote devices to present a trusted device/user certificate
  • Allow Enrollment only from the LAN
  • Limit the IP address scope allowed on the WAN-side

Testimonials

”We strive continuously to improve our service. It is important to us to deliver modern and simple solutions helping customers to a more efficient operation. The cooperation with FastPass is yet another step in this direction”.

Mads Jacobsen
 Associate vice president

... seen an 80% reduction in assisted password resets. We’re very satisfied with the product. It has significantly freed us up from frustrating and unrewarding password resets

Oliver Holmes

Deputy Director, Technology and Operations

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

 

 

FastPass handled 2,531 password calls, or more than 80% of the total password calls from all the users.

Per Kristensen

Project manager

 

...we have met our Customers’ Service and Cost Improvement challenges by reducing our call abandon rates by over 55% and our average wait times by over 60%, despite our overall budget being reduced.

Pete Townley

Lead Service Delivery

 

… about 90% use FastPass to reset their passwords. So we’ve seen a substantial reduction in calls to the help desk.

Winston Hughed

Vice President IT

 

We are very pleased with the product.  Fast pass has simplified password management and eliminated many password related calls

 

Chuck Mick

ERP Manager

Nyrstar has chosen FastPass to automate and improve the processes related to users’ forgotten passwords. This has improved user satisfaction and reduced the workload in the IT HelpDesk.

The number of forgotten passwords per involved user per year has dropped from 1,6 to 0,3. This is an improvement of 83%!

Hans Lauwers

SAP

 

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

Haydn Tarr

IT Technical Lead & Coordinator

 

Our employees use it to synchronize their Windows password with their IBM i password when they need to be changed every 90 days due to compliance. We find this is a quiet, behind-the-scenes way for our employees to change and remember their passwords.”

Larry Marxen

Director of Information Systems

 

North America T: + 818 697 2308

Europe T: + 45 4810 0410

 

FastPassCorp A/S,  USA

FastPassCorp A/S, Gladsaxevej 376, st.th; 2860 Gladsaxe, Denmark

© FastPassCorp A/S. All Rights Reserved.

Logo of fastpasscorp, the self-service password management provider
Subscribe To Our Newsletter
No Thanks
Thanks for signing up. You must confirm your email address before we can send you. Please check your email and follow the instructions.
We respect your privacy. Your information is safe and will never be shared.
Don't miss out. Subscribe today.
×
×
WordPress Popup Plugin