MICROSOFT ACTIVE DIRECTORY

SELF SERVICE PASSWORD RESET

See 4 steps to reach 90%+ adoption rate for on-premise or cloud solution [close to 2 million users] and the configuration and security features of the leading password solution:

FASTPASS

 

Self service password reset is one of the most profitable self service solutions any support organization can initiate. About 20-30% of all calls to a service desk are related to passwords. Improved end-user service level and reduced workload are attractive for any service desk manager and IT-operations manager. The prerequisite for success is however that users accept and use the self-service password reset tool.

FastPass offers functionality and a best practice guide that secures our customers more than 90% adoption rate.

The 4 steps to password self service reset success

ENROLLMENT
  • Force where possible
  • Automatic e-mails for the rest
ACCESS EVERYWHERE
  • From Domain PC: Pre Windows credential provider
  • From external domain PC’s: With PC password cache reset
  • WEB-portal for guest PCs
  • Responsive design for all smart devices
SERVICE DESK ASSISTANCE
  • When users call anyway the service desk agent must have assistance for authenticating users
  • Users should have a PIN to re-enroll in self-service and not a password
CONVENIENT AND SECURE AUTHENTICATION

Question / answer method

  • Private and semi-private answers
  • Standard questions
  • Individual personal questions
  • Bulk update of corporate data is possible, but not recommended

PIN-code push

  • For mobile phones
  • For e-mails (private)

Smart cards

Commercial methods like DUO, RSA

TOTP generally available

  • Microsoft authenticator
  • Google Authenticator

Country or industry-specific

Combine above to make multifactor authentication MFA

 

Want more information about FastPass products, pricing or anything else?

We are here to help you!

Active Directory Self service portal

FastPass Enterprise for Windows Self Service Password Reset offers all of the above for as well the customer who needs an on-premise solution and for customers wanting to go Cloud! The solution is even available for managed service providers as a multi-tenant solution for customers!

The FastPass best practice guide is a clear guide on how to implement FastPass and reach +90% adoption and success rate. 

This is however not enough to guarantee success. All installations are unique and the password self service solution must adapt to the real requirements for user convenience and company IT-security requirements.

A reasonable term for this is CONFIGURABILITY! 

Configurability considerations for active directory password reset tool software. Below is just a short overview of some of the decisions to be considered. 

GET IN ONE CLICK

6 pillars for password self service configurability:

Windows infrastructure

  • Active Directory
  • Multi-AD
  • Multi-forest AD
  • Azure AD
  • Hybrid Azure AD

The infrastructure 

  • Architecture for hardening
  • Architecture for high availability
  • Architecture for high performance

 

Different processes and workflows for users 

  • Communication to users are different across countries 
  • Communication is different across internal functions 
  • Different processes for internal and external users 
  • Different authentications for different user groups 

Languages must reflect the users’ language

  • not everybody understands English 
  • FastPass has close to 40 languages 

Self service even for other types of passwords like SAP, IBM, Oracle and many other

Easy and efficient administration and configuration from a central administrator portal 

FastPass for Microsoft Active Directory self service password reset supports all of the above!

The nature of passwords is to make IT-systems SECURE!

The security of a software application does not only depend on the software but on the complete security of the IT-infrastructure too. When it comes to IT-infrastructure FastPassCorp cannot dictate to customers how to configure. We will, however, promise that we in the documentation and consulting recommendations will inform how you can configure your IT-system to protect your FastPass data and processes in your infrastructure. 

Account protection in the password management solution: 
  • FastPass locks after X attempts 
  • Can only be reopened by Service Desk Role 
  • Requires security certificate on the device 
  • Can be limited to specific IP-addresses 
  • Only available for active AD user-ids 
  • Notification to end-users when their FastPass account is being used 
Protecting the integrity of data 
  • Using SSL to connect to AD makes the communication secure. Requires Security Certificate where encryption is RSA with key 2048 or 4096 bits. 
  • Internal system encryption is based on AES256 which is the strongest with .net 
  • Sensitive data are stored in the database using encryption based on AES256 which is the strongest with .net. 
  • User data can be hashed in addition to encryption to completely protect user data. 
  • All sensitive data such as the users’ answers and questions are all AES 256 Bit encrypted. 
  • The FastPass TrackEngine makes sure no one can intercept and repost data. 
  • Internal communication from Front-end to Back-end to Gateway is only possible using trusted SSL certificates and only from selected IP addresses 
  • Password can be stored encrypted (AES 256Bit Encrypted) in the FastPass Database. This enables a set of features to tighten security regarding password history. For example the minimum number of differences to any previously used password.
Protecting the Windows PC Client 
  • Windows Client has three security levels to prevent any intruders: 
  • URL restrictions. The client will only communicate with the FastPass server 
  • Keyboard restrictions 
  • Process restrictions (Level 1 imposed by Windows, Level 2 imposed by the Windows Client C and .Net level code)
Preventing access to user’s FastPass account 
  • Notification to the user of authentication attempts using Question/Answers 
  • A user cannot answer the same challenge question twice or have the same answers 
  • FastPass always checks if a user is still enabled and active in AD before the user can use FastPass (FastPass does not enable users) 
  • After 3 failed attempts users are locked in FastPass (not in AD), Service Desk assistance is needed to unlock the account again. 
  • CAPTCHA protection against robotic attempts is included. 
The Best Practices for security and protection of FastPass access will include the following actions: 
  • The fundamental component is the installation of FastPass WEB-services in DMZ. 
  • Hardening of the DMZ-server according to the FastPass Hardening documentation 
  • Demand 2-factor authentication for users coming from WAN 
  • User notification of password reset 
  • Notify users via SMS and e-mail that their FastPass account has been used – eg. when authentication fails. 
  • Use only SSL/TLS versions that are PCI-Compliant
For extra secure environments, the following aspects can be evaluated 
  • Only allow access to through the Windows Client on remote PCs (Blocks the browser interface) 
  • Demand remote devices to present a trusted device/user certificate 
  • Allow Enrollment only from the LAN 
  • Limit the IP address scope allowed on the WAN-side 

Want more information about FastPass products, pricing or anything else?

We are here to help you!

Basic Active directory self service password reset

Have you ever thought about AD self service password reset tool?

In today’s environment, users expect fast self service for any issues they might have with IT. As the most frequent issue is active directory password reset calls, then IT self service must include an Active Directory password self service functionality. This will resolve users’ issues faster than calling a service desk. It can even turn critically if the problem appears outside the working hours of the service desk.

Think FastPass!

FastPass Self Service Password Reset Active Directory portal lets you start for an advanced and automatic platform for Windows Active Directory passwords. You can later add functionality as your requirements increase. You might also consider FastPass Cloud.

FastPass basic functions are based on a self-service WEB-portal where users are able to unlock their Active Directory account or reset their forgotten active directory password. Different ways of authentication are available: challenge questions, SMS-Pin codes, Google and Microsoft authenticators or other. Even 2-factor authentication can be dynamic! Access to the portal is from any device with a standard browser – smartphones included. Users get assistance to make the new password according to password policy. The user can select the end-user language from more than 40 different languages. For more details on functionality see FastPass password Manager facts.

Optional Microsoft Active Directory self service password reset facilities

Many organizations can improve the self service Active Directory password reset business case and user satisfaction by adding more advanced functionality to FastPass.

 

  • With FastPass PC-client users get access to the portal from a locked Domain PC with a credential provider. This is the most usual situation for end-users experiencing problems with passwords. No need to go to another device to access the WEB-portal!
  • Enrollment is key to user adoption rates. With FastPass PC-client users are forced to enroll!
  • Non-domain users can be invited to enroll by FastPass automatic e-mail enrollment service.
  • HelpDesk client is available for the service desk support for those users who call for support anyway. It speeds up the service and increases security.
  • For users with corporate PC’s who access the system from the external network (from home or travel), the Remote PC-client enables FastPass to reset the PC-cache password. This can’t be done by the service desk with traditional tools and is an extraordinary value.
  • Organizations with multiple Active Directories can handle this complexity in the extended version

Market offerings

Self service password reset portals are available from many vendors. Traditionally the solutions were part of IDM Identity manager solutions like Microsoft Forefront Identity and Manageengine with adselfservice plus. We also see dedicated solutions from open source vendors which never really seems to hit. Many ITSM products offer limited self service functionality now. 

Microsoft Azure and Office 365 can now have an Azure SSPR functionality.  

If you need assistance in an assessment between different offerings we have experience and knowledge for you to help you make an expert evaluation. Please contact us. 

How does a Self-service password reset solution SSPR work? 

When users want to login to Windows from the PC, they might find it impossible. They might just need to unlock or perhaps they need to reset the password.  

The immediate problem is: “How to do self service of passwords when your PC is locked because you don’t have a password?” a Catch-22 problem. 

The solution is an icon on the PC helping the user to see that he can serve himself by clicking the password reset icon. This PC client (credential provider / GINA) can then do limited functionality on a locked PC. This will help the user access the self service password reset functions! 

The user will then be asked to do a personal authentication based on secrets shared between the SSPR (self service password reset) solution and the user.  Depending on the user’s profile and the situation it can be single factor authentication or multi factor authentication. 

When the authentication is accepted the user must make his new password. For user convenience, the password policy must be visible to help the user make a compliant password. As the user compiles the different policy elements can turn green to show the user that the password is OK. 

The user can then return to his PC and use the new password. In this process, no other persons have been involved, so trust is maintained in the individual user. 

It cannot be a password recovery or a password writeback – this is not technically possible. The user will always have to make a new password. 

FastPass is of course also available from external PC’s via WEB-access and for smartphones and tablets. 

Microsoft password reset

Microsoft password reset (in other words, when user forgot windows passwords) is traditionally done by the service desk using their privileged passwords for active directory.

Better productivity and service is achieved with AD password reset tool. Customers with FastPass are successful with password self service because of the following qualities in the service:

  1. Users need to enroll to be able to authenticate in FastPass when the windows password is forgotten or locked! It can be done with forced enrolment or with the FastPass automatic e-mail enrolment service.
  2. Access is needed from all type of devices from internal and external networks. The devices can be corporate PCs, smartphones, tablets, and general browser access
  3. Authentication must be both easy and secure at the same time. You can configure if you want single or multi-factor authentication MFU. FastPass supports:
    1. Standard question and answers
    2. Users’ own questions and answers
    3. SMS to users’ mobile phone number
    4. Microsoft Authenticator and Google Authenticator
    5. Smart cards
    6. Other options
  4. Assistance from the service desk if the user is unable to do self service

FastPass supports Active Directory and Azure Active Directory users.

FastPass password synchronization is based on an AD interceptor catching all changes to passwords in AD. This creates a transaction to FastPass password synchronization module. FastPass then has a user-map where the user’s user-ids are linked together for the synchronization transaction. FastPass password synchronization reacts very fast, so in general users’ passwords are changed in the target systems even before the user logs in to the alternate systems.

Read more about FastPass Solutions

Think FastPass!

FastPass covers the important password manager processes for self service of passwords with a compliant and secure process for the facilitated password reset process in the service desk. The results are high productivity and ease-of-use for all types of corporations.

FastPass covers all types of passwords (Windows / SAP/ Oracle / IBM i, etc.). FastPass supports Active Directory and Azure Active Directory users.

Choose FastPass password reset solution.

Testimonials

”We strive continuously to improve our service. It is important to us to deliver modern and simple solutions helping customers to a more efficient operation. The cooperation with FastPass is yet another step in this direction”.

Mads Jacobsen
 Associate vice president

... seen an 80% reduction in assisted password resets. We’re very satisfied with the product. It has significantly freed us up from frustrating and unrewarding password resets

Oliver Holmes

Deputy Director, Technology and Operations

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

 

 

FastPass handled 2,531 password calls, or more than 80% of the total password calls from all the users.

Per Kristensen

Project manager

 

...we have met our Customers’ Service and Cost Improvement challenges by reducing our call abandon rates by over 55% and our average wait times by over 60%, despite our overall budget being reduced.

Pete Townley

Lead Service Delivery

 

… about 90% use FastPass to reset their passwords. So we’ve seen a substantial reduction in calls to the help desk.

Winston Hughed

Vice President IT

 

We are very pleased with the product.  Fast pass has simplified password management and eliminated many password related calls

 

Chuck Mick

ERP Manager

Nyrstar has chosen FastPass to automate and improve the processes related to users’ forgotten passwords. This has improved user satisfaction and reduced the workload in the IT HelpDesk.

The number of forgotten passwords per involved user per year has dropped from 1,6 to 0,3. This is an improvement of 83%!

Hans Lauwers

SAP

 

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

Haydn Tarr

IT Technical Lead & Coordinator

 

Our employees use it to synchronize their Windows password with their IBM i password when they need to be changed every 90 days due to compliance. We find this is a quiet, behind-the-scenes way for our employees to change and remember their passwords.”

Larry Marxen

Director of Information Systems

 

North America T: + 818 697 2308

Europe T: + 45 4810 0410

FastPassCorp A/S,  USA

FastPassCorp A/S, Lyngby Hovedgade 98, Kgs. Lyngby, DK 2800 Denmark

© FastPassCorp A/S. All Rights Reserved.

Logo of fastpasscorp, the self-service password management provider