Benefits of having a Self Service Password Tool
Increase productivity in Service Desk and Secure calls through Identity Verification
What are the benefits of having a Self Service Password Tool?
If you are looking at having a new platform for your users to reset their own password or your help desk secure calls by verifying identity to avoid scams or attacks, make sure your new tool has the following features:
Features for End users
Self-service functionality for end-users:
Corporate password types – connectors: * **
- Password reset for forgotten passwords
- Password un-lock
- Password change using active password
- Enrollment to the self-service giving information for authentication in self-service
- Language decided by Windows/browser choice or user’s individual choice from selector. More than 20 end-user languages.
- Semi-private questions
- Standard list controlled by administrator
- Number of questions for authentication configured by administrator
- Number of questions for enrollment configured by administrator
- Questions and answers encrypted
- Question and answers visible by privileged persons like service desk agents
- Private questions
- Standard list as above
- Questions formulated by the end-user herself
- Data are encrypted and hashed
- Answers not available for any-one
- Pin-code to mobile number
- Covers most popular corporate password types:
- IBM Z
- IBM ISeries, AS400
- Google corp
- Generic connectors for other types of applications
- Password reset as above is available (not for FLEX)
- Synchronization from AD to any and all of the connectors
Enrollment of end-users:
Enabled for visually impaired persons (W3C Web A.G.) * ***
- Forced enrollment for users on domain PCs. Requires FastPass PC-client (FLEX option)
- Configurable when to be active. Different choices of user actions.
- Automatic e-mail service to users to enroll (FLEX option)
- Configurable when to send invitation and when to send reminders
- Customer makes text for different languages and different user groups.
- Corporate data (FLEX option)
- Data available in customer’s system like mobile-phone number and corporate data can be imported or be used directly by FastPass. In some situations users, don’t need to enroll.
- FastPass locks after X attempts
- Can only be reopened by Service Desk Role
- Requires security certificate on device
- Can be limited to specific IP-addresses
- Only available for active AD user-ids
- Notification to end-users when their FastPass account is being used
Enabled for visually impaired persons (W3C Web A.G.) * ***
Password expiration notification:
- On domain from PC before Windows log-in: FastPass PC-client (FLEX option)
- External net from PC before Windows log-in: FastPass PC-client. FastPass even reset password on PC-cache. Requires customer VPN and internet connection. Can be WIFI connection (FLEX option)
- WEB-portal intranet
- Webportal extranet
- Smartphones (iOS, Android)
- Tablets (iOS, Android)
- Users can be notified before AD password expiration
- In particular valuable for remote users
- Smartphone and tablet users can change passwords directly on portal
All text available for the users is available in 'local' language for the user. The language is automatically selected based on the browser or can be selected directly by each user.
- Chinese / Mandarine
**Features for Service Desk
Features for Admin or other support departments
- Authenticate users calling for assisted service
- Use system information
- Use semi-private Q/A
- Issue a PIN code for end-user enrollment to FastPass self-service. User can then reset the password herself
- Can reset and un-lock passwords
- Un-locks FastPass end-user accounts
The FastPass administrator configures and monitors the application
Configures network access
Writes and modifies user assistance text and field text
Configures enrollment process
Monitors management statistics and log-files
Configures SMS services (internal service or external WEB-service)
*optional **Flex ***Limited to Non-Flex Plans
FastPass Security Features
The security of a software application does not only depend on the software; but also on the complete security of the IT-infrastructure. When it comes to IT-infrastructure FastPassCorp cannot dictate to customers how to configure. We will however promise that we in documentation and consulting recommendations will inform how you can configure your IT-system to protect your FastPass data and processes in your infrastructure.
Protecting the integrity of data
- Using SSL to connect to AD makes the communication secure. Requires Security Certificate where encryption is RSA with key 2048 or 4096 bits.
- Internal system encryption is based on AES256 which is the strongest with .net
- Sensitive data are stored in the database using encryption is based on AES256 which is the strongest with .net.
- User data can be hashed in addition to encryption to completely protect user data.
- All sensitive data such as the users’ answers and questions are all AES 256 Bit encrypted.
- The FastPass TrackEngine makes sure no one can intercept and repost data.
- Internal communication from Front-end to Back-end to Gateway is only possible using trusted SSL certificates and only from selected IP addresses
- Password can be stored encrypted (AES 256Bit Encrypted) in the FastPass Database. This enables a set of features to tighten security regarding password history. For example minimum number of differences to any previously used password.
Protecting the Windows PC Client
- Windows Client has three security levels to prevent any intruders:
- URL restrictions. The client will only communicate with the FastPass server
- Keyboard restrictions
- Process restrictions (Level 1 imposed by Windows, Level 2 imposed by the Windows Client C and .Net level code)
Preventing access to user’s FastPass account
- Notification to user of authentication attempts using Question/Answers
- A user cannot answer the same challenge question twice or have the same answers
- FastPass always checks if a user is still enabled and active in AD before the user can use FastPass (FastPass does not enable users)
- After 3 failed attempts users are locked in FastPass (not in AD), Service Desk assistance is needed to unlock the account again.
- CAPTCHA protection against robotic attempts is included.
A Best Practices for security and protection of FastPass access will include the following actions:
- The fundamental component is installation of FastPass WEB-services in DMZ.
- Hardening of the DMZ-server according to the FastPass Hardening documentation
- Demand 2 factor authentication for users coming from WAN
- User notification of password reset
- Notify users via SMS and e-mail that their FastPass account has been used – eg. when authentication fails.
- Use only SSL/TLS versions that are PCI-Compliant
For extra secure environments, the following aspects can be evaluated
- Only allow access to through the Windows Client on remote PCs (Blocks the browser interface)
- Demand remote devices to present a trusted device/user certificate
- Allow Enrollment only from the LAN
- Limit the IP address scope allowed on the WAN-side