Yes, it’s 2019 and we still have to deal with passwords. They should be replaced or supplemented with multi-factor authentication as soon as possible, but it looks like they are here to stay, and their number keeps growing with the number of services we use.
When it comes to password management problems in an organization, you have to think about the process that are put in place for when users forget their password. If the authentication process is difficult to bypass, attackers will try to take advantage of the password reset procedure.
The password reset procedure must be at the same security level as the authentication process (if not higher!) – there must be a way to securely reset passwords. This process needs to involve checking the identity of the user who requested a new password and is generating a new password.
Depending on the employee structure, the process of resetting passwords can be quite a challenging task for the helpdesk, as it can take some time which ultimately drives cost – IT support and user downtime.
Specops Software came up with a tool to help with and automate the password reset procedure in a secure way. Specops uReset is a Windows-based tool that plugs into the Active Directory authentication process and allows you to customize the level of security that your organization requires by extending various multi-factor authentication options to the password reset process.
The uReset concept
Specops uReset can be installed on Active Directory to automate the password reset procedure, which is carried out by using multi-factor authentication including various authentication methods from third parties. For example, you can configure it so that employees can self-reset the password via their mobile phone, via Gmail, or a Facebook account, and without needing to contact the helpdesk.
The product implements a number of ways for users to prove their identity, ranging from social identity providers (Facebook, Google, Twitter, Github, etc.) to authentication providers (Duo Security, Microsoft Authenticator, Google Authenticator). Other options include Mobile Code and Specops own methods (fingerpint and OTP) for the password reset procedure. Of course, the administrator can decide which service(s) and method(s) can be used to reset users’ passwords which can be extended not only to end-users but also to helpdesk users resetting users’ passwords.
Users can reset their password via a web browser and via a reset link on the Windows login screen. There is also the option to download the mobile application, which makes the entire process easier.
Specops uReset is a cloud solution. Still, you’ll need to install a server component that will talk to the cloud. Installing a mobile application for your users is optional as there are different choices when it comes to resetting passwords. Users can self-reset the password by following the clear instructions on the web site of the cloud solution. The server component is responsible for communicating with the web front-end and performs the actual password reset task.
The requirements for a Gatekeeper installation (Specops uReset server component), are Windows Server 2012 R2 or later with .NET Framework 4.7 or later. Since the solution works with sensitive parts of Active Directory, you need to have domain administrator rights in order to install it.
The installation of Specops uReset starts with the execution of a standard setup executable file.
The installation of the server component is straightforward
For the test, we have installed a test Active Directory domain in an AWS cloud with a few testing servers as part of the domain. We have populated users with different privileges and roles with the test script. We have set up the server component in less than five minutes by following the provided instructions. The most complicated step was to paste the authorization code that was obtained during the download of the setup file.
Specops uReset Android application
Mobile applications can be installed from official application stores. Apps are available for iPhone and Android users.
Once installed, you need to go through the initial configuration process to adjust basic Active Directory settings. It is a standard Specops product configuration: configuration categories are on the left side, detailed items which can be modified are on the right side.
Specops uReset server configuration
Once the server component is configured, the next step is to access the admin part on the provided website. There, you can configure password reset providers and methods to reset the password. Also, you can enroll users to the self-reset password service provided by Specops uReset.
More on user enrollment
Note that some of the methods need additional configuration and some of them are ready to be used directly “out of the box”. The latter is possible if your Active Directory is already populated with the correct data for each user that will be given the password reset option. For example, the “Mobile” field should be populated with the correct mobile number of the user if you want to enable password reset via Mobile Code. Another example would be the “Manager” field, if the manager can identify the person.
You can also configure Symantec VIP this way, but you need to specify the LDAP attribute where the Symantec User ID is stored. A similar example is the “samAccountName” attribute for a reset if you want to provide a password reset option via the Duo Security solution.
Specops uReset is very flexible, so system administrators together with their security department can assign a specific value for each identity service, ultimately deciding if one identity service is worth twice as much as another during authentication. In the user interface, for both the end user and the administrator, the weights are represented by stars.
Rating identity providers
The user can choose the method or identity provider that is more convenient at a certain time. For example, if a user does not have a mobile phone at the moment of a password reset, it is possible to use a Microsoft Account or any other configured method for authentication.
Assigning a different value per Active Directory Group makes this feature even better and doesn’t lower the bar in terms of security requirements. Users have different preferences during specific situations they might find themselves in, so this is a welcome approach for everyone: administrators, security officers and users.
If your Active Directory is properly populated, users can be pre-enrolled for password resets using Specops uReset.
For most of the online services, users should and can enroll themselves to the online service they use. This consists of following a web link from the uReset user page and authentication with the target service.
To complete enrollment, the user has to collect enough stars to fill the star bar. Specops guarantees that activity on a given service is not monitored and data is only used for the password reset.
Once users are enrolled, they are ready to reset their password. To do that, they need to access the special link given in the configuration process with a web browser.
Specops uReset login for users
When users reset their password, they will be able to see your password complexity requirements as they type in their new password. This prevents future frustration when a password change fails.
Another way to reset the password is through the mobile application. To use the mobile application, the user is required to enter an e-mail and, according to the given rules, the application will ask for specific identity verification (Mobile Code, social identity, etc).
Specops uReset mobile application login
Once everything is set up, the administrator doesn’t have to spend any more time with this tool. Helpdesk workers will also appreciate this tool as they will not have to handle password reset requests on a daily basis.
Specops uReset offers an innovative approach for password resetting:
- It provides users with the self-service option.
- It relies on multi-factor authentication and trusted third party authentication providers. What differentiates Specops from the competition is that they not only provide alternatives but also a weighting ability to ensure that security is not sacrificed e.g. the user does not have phone but can use Google and Facebook to authenticate.
- It allows organizations to decide which authentication factors they will use and which authentication providers they will trust.
The product works entirely as advertised. The installation process is simple and easy. The documentation provided is sufficient (although almost unneeded, as the interface is very intuitive).
If your helpdesk is spending too much time on resetting users’ Active Directory passwords, you should try out Specops uReset.