PASSWORD SELF SERVICE
USERS FORGET PASSWORDS?
FASTPASS is the answer
Business Case for FastPass Password Self Service Tool
Users solve password problems in less than a minute 24/7. This means productivity – the focus is on the job now, and not wait for someone to help. Productivity is money.
The IT service desk will cut 20-30% of all calls away. This can be converted to service or reduced costs. A cost per service desk call is typically around 40-50$ which will then be saved.
Data breaches will be reduced. Hackers can’t get a password from the service desk with social engineering or charm! The average cost per data breach in the USA is $7.9 million.
Using FastPassCloud you’ll have a short implementation and low total operating annual cost. Your business case will be positive within a few months.
6 STEPS TO SUCCESS: Password Self Service
Why is FastPass the best password reset solution for you?
FastPass password self service gives you more than 90% of user adoption. Only with a very high adoption, you will get your service up and your costs down. To reach 90% you need password self service which:
Covers all password types
Most companies have different types of passwords: SAP, Oracle, LDAP, IBM, Google, legacy etc. With FastPass users only need to go to the same FastPass portal.
Enroll all users
Users can be auto-enrolled. For secure authentication enrollment is required. FastPass will enforce enrollment.
From anywhere from any device
No matter where the user is and what device he uses, FastPass is available right there.
Let the service desk help the user to self-service when needed
If the user calls the service desk, the service desk has FastPass tools to securely bring the user back into self-service.
All types of credentials for user verification
FastPass can use all the types of authentication you already use for log-in processes, plus many more. You decide when users must use MFA or single factor authentication for identity verification.
How come more than half of all organizations that implement self-service password solutions only get a user acceptance of less than 25%?
After 10 years of experience, we figure out the main reasons of failures and focused on them in our mini e-book.
If you are concerned that criminals will use social engineering to steal passwords for real users from the service desk, then FastPass Facilitated Password Reset will control the service desk assistant’s workflow.
See how you can protect your systems against social engineering targeted for the service desk
SEE FASTPASS PASSWORD SELF SERVICE PORTAL IN ACTION
In your Demo Account you can:
- Enroll (and re-enroll)
- Reset and unlock a Windows/AD account
Authentications:
- TOTP using Google or Microsoft Authenticator
- SMS-pin to mobile phone
- Questions
FASTPASS OFFERINGS
Find the right solution for you from the FastPass offerings:
FastPass Enterprise
FastPass Enterprise covers self-service of passwords with a compliant and secure process for large organizations. The results are high productivity through high adoption and ease-of-use for all types of corporations.
FastPass Enterprise covers all types of corporate passwords (Windows / SAP/ Oracle / IBM i, etc.)
FastPass for Active Directory
FastPass for Active Directory lets you start with an advanced and automatic platform for AD passwords. You can later add functionality as your requirements increase. Reach 90%+ adoption rate with forced enrolment and rich authentication options.
FastPass covers Active Directory, Multi-AD, Multi-forest AD, Azure AD, Hybrid Azure AD.
Password Synchonization
For medium and large organizations password synchronization is a quick and effective way to help users having fewer passwords to remember.
FastPass synchronizes automatically all password changes from Active Directory to your other types of corporate passwords like SAP/Oracle/IBM. Even when users have different user-ids FastPass will synch correctly.
MSP Password Self Service
FastPass MSP is a multi-tenant solution to share with all your customers to reduce password costs.
- Customized per customer for self-service of password resets
- Functionally like FastPass Enterprise
- IT workflow for a facilitated password reset in the service desk
Facilitated Password Reset
FastPass (FPR) introduces a management defined process for manual verification. The verification process is matched to different security profiles for different groups. The service desk agents don’t need privileged passwords anymore. FPR uses dynamic and contextual information to help authenticate the users in addition to the management approval process.
FPR reduces the risk for data breaches and the costs associated with IT crime and is used with FastPass Enterprise.
FastPass Cloud
The FastPass Cloud service is a web-based password manager for medium and large companies who want to improve productivity and security related to password self-service processes in a simple and fast way. Users get access to a WEB-portal, even from a Windows PC before log-in!
FastPass Cloud covers all popular corporate password types like Windows / Active Directory, SAP, IBM Z, IBM I, Oracle, SQL, LDAP, and others.
Pricing depends on your functional requirements and user-count. You can, of course, choose between purchase and subscription agreements. Contact us or our partners to get an individual quote.
No matter what FastPass solution you choose it is WEB-application secure according to industry security standards:
- OWASP
- PCI
- SANS CYBER
Get a copy of FastPass Enterprise Overview
Download and read later!
To think of before you decide:
Your SSPR (Self-Service of Password Reset) solution only has any value if your users can and will use it! We have worked with hundreds of small and large organizations in implementing SSPR. We have learned that the following is very important in addition to above headlines for success for adoption.
Languages
If you are an international organization then not all users understand English. You must support all the different languages. Not all lead text but content like challenge questions and invitations must be the local language.
FastPass supports more than 30 different languages.
Configurability
For some users, you might only need a light authentication of their identity, so you accept single-factor authentication, with 3-4 different credentials for the user to choose from. Other users are more security-sensitive and they can only reset passwords with multi-factor authentication (MFA).
Some users are OK with one factor on the domain but must use MFA when accessing FastPass from external networks.
FastPass can handle an unlimited number of profiles and processes simultaneously, which is a prerequisite for large organizations.
Infrastructure
If you have an advanced and complicated infrastructure with on-premise and cloud operation (including Azure) you must be able to integrate your solution into your environment.
Managed Service Providers MSP
To give self-service of password reset for many customers you must have a central cloud-based solution.
FastPass is truly multi-tenant where you can support your customers from one FastPass environment. Each customer can be handled completely individually as if they had their own on-premise installation!
Security
A solution handling password processes must possess the highest security measures. Read more below on how FastPass is made secure.
How FastPass is made secure for you?
The increasing number of successful attacks on IT infrastructure to breach data security take many forms. Hackers go to great length to breach into WEB-applications to manipulate data or copy data out to suit their purpose.
The only way to prevent hackers from being successful is to use secure software. And as hackers are continuously looking for new ways to breach into software solutions, system protection too is an ongoing process.
For FastPassCorp, this means that software security starts with the design of the software and all new releases. We continuously follow the threats to the system and improve how we make our solutions secure for customers and users.
In this document, we present an overview of some of the actions taken by FastPassCorp to make our solutions secure. We follow the format of listing the common questions, thus providing an explanation of how we protect your infrastructure.
Details of Enterprise Password Management
END-USER ROLE
Self-service functionality for end-users
- Password reset for forgotten passwords
- Password unlock
- Password change using active password
- Enrollment to the self-service giving information for authentication in self-service
- Language decided by Windows/browser choice or user’s individual choice from a selector. More than 20 end-user languages.
Enrollment of end-users to the password manager
- Forced enrollment for users on domain PCs. Requires FastPass PC-client
- Configurable when to be active. Different choices of user actions.
- Automatic e-mail service to users to enroll
- Configurable when to send invitation and when to send reminders
- Customer makes text for different languages and different user groups.
- Corporate data
- Data available in customer’s system like mobile-phone number and corporate data can be imported or be used directly by FastPass. In some situations users, don’t need to enroll.
End-user access to enterprise password manager
- On domain from PC before Windows log-in: FastPass PC-client
- External net from PC before Windows log-in: FastPass PC-client. FastPass even reset password on PC-cache. Requires customer VPN and internet connection. Can be WIFI connection
- WEB-portal intranet
- Webportal extranet
- PC
- Smartphones (iOS, Android)
- Tablets (iOS, Android)
Account protection in the password manager solution
- FastPass locks after X attempts
- Can only be reopened by Service Desk Role
- Requires security certificate on device
- Can be limited to specific IP-addresses
- Only available for active AD user-ids
- Notification to end-users when their FastPass account is being used
Password expiration notification
- Users can be notified before AD password expiration
- In particular valuable for remote users
- Smartphone and tablet users can change passwords directly on portal
Corporate password types – different connectors
- Covers most popular corporate password types:
- Oracle
- SAP
- IBM Z
- IBM ISeries, AS400
- SQL
- LDAP
- Google corp
- Generic connectors for other types of applications
- Password reset as above is available
- Synchronization from AD to any and all of the connectors
End-user authentication when using the corporate password manager
- Semi-private questions
- Standard list controlled by administrator
- Number of questions for authentication configured by the administrator
- Number of questions for enrollment configured by the administrator
- Questions and answers encrypted
- Question and answers visible by privileged persons like service desk agents
- Private questions
- Standard list as above
- Questions formulated by the end-user herself
- Data are encrypted and hashed
- Answers not available for any-one
- SMS
- Private e-mail
- AD user-id authentication
- For authentication for other password types than AD then the password for AD user-id can be used
- Code-card
- Printed small card with coordinates
- The user is asked to enter specific coordinates proving that he has this card
- Out-of-band (OOB) authenticators
- Google authenticator
- Microsoft authenticator
- 2-factor authentication
- The administrator can configure two different types to be used in combination, and both must be OK
- Can be configured for external net and not for internal users
- Can be configured for some user groups
- Can be configured to be active at certain time intervals (like night and weekends)
- User’s free choice
Multi-lingual support
All text available for the users is available in ‘local’ language for the user. The language is automatically selected based on the browser or can be selected directly by each user.
- English
- French
- German
- Spanish
- Danish
- Finnish
- Dutch
- Chinese / Mandarine
- Japanese
- Portuguese
- Polish
- Italian
- Norwegian
- Swedish
- Welsh
- Brazilian
- Lithuanian
- Estonian
- Latvian
Additional languages will be easily added on request.
Enabled for visually impaired persons (W3C Web A.G.) (optional)
SERVICE DESK ROLE
- Authenticate users calling for assisted service
- Use system information
- Use semi-private Q/A
- Issue a PIN code for end-user enrollment to FastPass self-service. User can then reset the password herself
- Can reset and un-lock passwords
- Un-locks FastPass end-user accounts
ADMINISTRATOR ROLE AND GENERAL DESCRIPTION
- The FastPass administrator configures and monitors the application
- Configures network access
- Writes and modifies user assistance text and field text
- Configures enrollment process
- Monitors management statistics and log-files
- Configures SMS services (internal service or external WEB-service)
How FastPass is made secure?
How are sessions protected in FastPass in general?
- First, FastPass only accepts communication over SSL so all session communication is encrypted.
- The session is bound to the specific URL, which means, for instance, that it will not be sent to other apps, even on the same server.
- We change the session on every request - hence, even if an attack succeeded, it is likely that the sessionID would already have been used and changed.
- By default, the TRACK STATE engine in FastPass knows the pages you can get to at any point, and if you do not arrive on the expected pages, the session is abandoned. Hence an attacked attempting to repost will fail in doing so.
- The session can be bound to the IP of the end-user - effectively leaving out listening to requests on a session coming from addresses other than the end-user IP.
How and what data is stored about the end-users?
You can find an exact list of what fields we read/write in AD and what we store and how we do it. The list is available in the technical document named "Microsoft AD integration notes". Contact us to get the list.
General sensitive information is encrypted using a 256 Bit AES algorithm. For hashing, we use PBKDF2 (RFC2898).
Penetration testing of the sowtware?
A PEN-test results in a certified document where the test results are presented. Based on the report, you can decide if there are any shortcomings that mean anything to your security protection. For FastPass is regularly penetration tested by external certified organizations - PCI/OWASP standards are used. The latest report can be provided on request. These tests also cover SQL injections, XSS attacks, etc.
What about hardening the FastPass server?
FastPass has built a hardening package that you can apply to the FastPass installation in order to get the exact same result as in the penetration test report.
How do you protect FastPass password self service tool from man-in-the-middle (MiTM) attacks?
By default, we use SSL, on top of that we also use ViewStateMac on .Net; further, we also have the FastPass TRACK STATE engine, Also, our hardening implements HTTP Strict Transport Security.
How is the PC Windows client protected?
There is a huge number of security features in play here. First of all, the client will refuse to talk to any other sites than the FastPass site it is configured to. It thus refuses to communicate to other sites, and only the needed document types are enabled. Note this also means that you cannot show videos, flash, etc. on the FastPass pages.