SlideShare une entreprise Scribd logo

Managing Passwords for Mobile Users

Hitachi ID Systems, Inc.
Hitachi ID Systems, Inc.

Knowledge workers are increasingly mobile, and frequently have to connect to internal I.T. resources from outside the enterprise network. Mobile users must manage passwords both on their own notebook computers and on networked systems. Managing passwords for mobile users is more challenging than managing passwords to network-attached users. Unique technical problems include managing local passwords on thousands of devices, coping with cached credentials and supporting mobile users who forgot their initial sign-on password. This document describes how Hitachi ID Password Manager addresses the technical challenges of managing passwords for mobile users. The remainder of this document is organized into sections that describe challenges specific to managing passwords for mobile users, and how Hitachi ID Password Manager addresses each problem. Managing local passwords Managing local passwords using a network-attached password management system. When users forget their initial password Providing self-service assistance to users who forget their initial password, including both network-attached and off-line users. When users forget their remote-access password Providing self-service assistance to off-site users who forgot or disabled the password they use to connect to the network. Conclusions A summary of the challenges of password management for mobile users, and of Hitachi ID Password Manager solutions. References Relevant reference material on the Internet.

Technologie
1  sur  15
Télécharger pour lire hors ligne
Managing Passwords for Mobile Users © 2014 Hitachi ID Systems, Inc. All rights reserved.
Knowledge workers are increasingly mobile, and frequently have to connect to internal I.T. resources from outside the enterprise network. Mobile users must manage passwords both on their own notebook computers and on networked systems. Managing passwords for mobile users is more challenging than managing passwords to network-attached users. Unique technical problems include managing local passwords on thousands of devices, coping with cached credentials and supporting mobile users who forgot their initial sign-on password. This document describes how Hitachi ID Password Manager addresses the technical challenges of manag- ing passwords for mobile users. Contents 1 Confidentiality 1 2 Introduction 2 3 Making Routine Changes to Local Passwords 3 3.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 When Users Forget Their Initial Password 4 4.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2 The Solution for Network-attached Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.3 Solutions for Mobile Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5 When Users Forget Their Remote-access Password 9 5.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6 Conclusions 11 7 References 12 7.1 Setting Up Roaming Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.2 IVR Vendors and Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.3 Authenticating Remote Users with Hardware Tokens . . . . . . . . . . . . . . . . . . . . . . 13 7.4 Self-Service from the Login Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 i
Managing Passwords for Mobile Users 1 Confidentiality This document describes key technology developed by Hitachi ID Systems to support customer require- ments for an enterprise-class, high-availability, high-throughput password synchronization system. This technology is proprietary, and the design considerations described herein are not widely understood in the password management, and in particular in the password reset market segment. Moreover, patent applications have been filed regarding some of the technology described herein. This document is made available to current and prospective Hitachi ID Systems customers to help them understand how best to select and deploy an effective password synchronization system. In an effort to maintain Hitachi ID Systems’s technological lead in the password management market seg- ment, the reader is asked to refrain from discussing detailed design objectives and solutions herein with other vendors of provisioning, identity management or password management technologies. Please keep this document confidential. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Managing Passwords for Mobile Users 2 Introduction Knowledge workers are increasingly mobile, and frequently have to connect to internal I.T. resources from outside the enterprise network. Mobile users must manage passwords both on their own notebook computers and on networked systems. Managing passwords for mobile users is more challenging than managing passwords to network-attached users. Unique technical problems include managing local passwords on thousands of devices, coping with cached credentials and supporting mobile users who forgot their initial sign-on password. This document describes how Hitachi ID Password Manager addresses the technical challenges of manag- ing passwords for mobile users. The remainder of this document is organized into sections that describe challenges specific to managing passwords for mobile users, and how Password Manager addresses each problem. • Managing local passwords Managing local passwords using a network-attached password management system. • When users forget their initial password Providing self-service assistance to users who forget their initial password, including both network- attached and off-line users. • When users forget their remote-access password Providing self-service assistance to off-site users who forgot or disabled the password they use to connect to the network. • Conclusions A summary of the challenges of password management for mobile users, and of Password Manager solutions. • References Relevant reference material on the Internet. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Managing Passwords for Mobile Users 3 Making Routine Changes to Local Passwords 3.1 The Problem Users with fixed PCs in a networked environment typically log into their workstations with a login ID and password that are actually validated by a network operating system, such as a Windows Active Directory or Novell NetWare NDS / eDirectory. This is convenient, because a networked password management system does not have to directly interact with user IDs or passwords stored on individual PCs. Instead, it simply manipulates passwords on the network operating system or directory. In contrast, mobile users must be able to sign into their workstations even when they are not connected to the network. That means that they must either be able to log into their workstation without a password, or else their login ID and password must be physically stored on their own computer. User IDs and passwords that are managed locally on a workstation may either be local to that computer, or else they may be cached copies of credentials that are normally maintained on a network operating system or directory (Active Directory, eDirectory, etc.). In either case, a central, networked password management system must be able to update passwords stored on individual computers. This implies either sophisticated technology to “reach back” to workstations, or software that is installed on each and every mobile computer. 3.2 Solutions In most corporate environments, users sign into disconnected workstations with cached network creden- tials. In this case, the problem of managing local passwords is somewhat reduced, as users are normally prohibited from changing their passwords while off-line. If mobile users log into their workstations with a local ID, rather than a cached copy of a network ID, then Hitachi ID Password Manager can use an Active-X component to reset local passwords. This component is only available for web-based, self-service password updates (both routine changes and resets due to a forgotten password). Since an interactive web browser session is required, this method is not suitable for use with transparent password synchronization, for assisted password resets, or for telephony- based password resets, none of which involve a web browser session on the user’s workstation. The component is inserted into the password reset results page. It is downloaded by the user’s web browser (Note: only IE supports Active-X components), and executes locally on the user’s workstation. To run, it may either use a network administrator account with local privileges on each workstation, or else a local administrative account must be configured on each workstation, and be available for this component. An installation program is available with Password Manager to create a local administrator account on each workstation, and to set its password to a random value. This program can be used in conjunction with a software distribution system like SMS to create a suitable account on every workstation where it may be required. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Managing Passwords for Mobile Users 4 When Users Forget Their Initial Password 4.1 The Problem When users forget a password or accidentally trigger an intruder lockout, their problem is frequently with their initial login. This presents some special problems: • Self-service solutions are generally web based, and this is true of password reset systems as well. • Users who need to access a self-service system for password reset therefore need access to a web browser. If their problem is with their initial login, then they don’t yet have access to their own desktop, and so can’t launch a web browser. • As a result, users who forget their own password cannot, without special measures, easily take ad- vantage of a self-service solution. The above problems are true of connected office workers, as well as mobile users. For mobile users, a self-service password reset system has extra challenges: • The self-service system must be accessible from the login prompt of workstations that are not yet network attached. This requires a client software footprint. • The self-service client software must establish a network connection to the server component – with- out much user input. • The self-service system must be able to reset local passwords, as described in Section 3 on Page 3. 4.2 The Solution for Network-attached Users For network-attached users, this problem can be overcome in several ways: When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to fix their password and make it possible to log in. Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked out of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described below: Option Pros Cons 1 Do nothing: users continue to call the help desk. • Inexpensive, nothing to deploy. • The help desk continues to field a high password reset call volume. • No solution for local passwords or mobile users. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Managing Passwords for Mobile Users Option Pros Cons 2 Ask a neighbor: Use someone else’s web browser to access self-service password reset. • Inexpensive, no client software to deploy. • Users may be working alone or at odd hours. • No solution for local passwords or mobile users. • Wastes time for two users, rather than one. • May violate a security policy in some organizations. 3 Secure kiosk account (SKA): Sign into any PC with a generic ID such as “help” and no password. This launches a kiosk-mode web browser directed to the password reset web page. • Simple, inexpensive deployment, with no client software component. • Users can reset both local and network passwords. • Introduces a “generic” account on the network, which may violate policy, no matter how well it is locked down. • One user can trigger an intruder lockout on the “help” account, denying service to other users who require a password reset. • Does not help mobile users. 4 Personalized SKA: Same as the domain-wide SKA above, but the universal “help” account is replaced with one personal account per user. For example, each user’s “help” account could have their employee number for a login ID and a combination of their SSN and date of birth for a password. • Eliminates the “guest” account on the domain, which does not have a password. • Requires creation of thousands of additional domain accounts. • Requires ongoing creation and deletion of domain accounts. • These new accounts are special – their passwords do not expire and would likely not meet strength rules. 5 Local SKA: Same as the domain-wide SKA above, but the “help” account is created on each computer, rather than on the domain. • Eliminates the “guest” account on the domain. • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). • Requires a small footprint on each computer (the local “help” account.) © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Managing Passwords for Mobile Users Option Pros Cons 6 Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identifier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password. • Simple deployment of centralized infrastructure. • No client software impact. • May leverage an existing IVR (interactive voice response) system. • Helpful for remote users who need assistance connecting to the corporate VPN. • New physical infrastructure is usually required. • Users generally don’t like to “talk to a machine” so adoption rates are lower than with a web portal. • Does not help mobile users who forgot their cached domain password. • Does not help unlock PINs on smart cards. 8 Physical kiosks: Deploy physical Intranet kiosks at each office location. • Eliminates generic or guest accounts. • May be used by multiple applications that are suitable for physically-present but unauthenticated users (e.g., phone directory lookup, badge management, etc.). • Costly to deploy – hardware at many locations. • Does not help mobile users who forgot their cached domain password. • Users may prefer to call the help desk, rather than walking over to a physical kiosk. 9 GINA DLL: Windows XP: Install a GINA DLL on user computers, which adds a “reset my password” button to the login screen. • User friendly, intuitive access to self-service. • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). • Works on Windows Terminal Server and Citrix Presentation Manager. • Requires intrusive software to be installed on every computer. • Broken installation or out-of-order un-installation will render the computer inoperable (i.e., “brick the PC”). 10 GINA Extension Service: Similar to the GINA DLL, but uses a sophisticated service infrastructure to modify the UI of the native GINA, rather than installing a GINA DLL. • User friendly, intuitive access to self-service. • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). • More robust, fault-tolerant installation process than the GINA DLL. • Requires software to be installed on every computer. • Does not work on Citrix Presentation Server or Windows Terminal Server – only works on personal computers. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Managing Passwords for Mobile Users Option Pros Cons 11 Credential Provider: The equivalent of a GINA DLL, but for the login infrastructure on Windows Vista/7/8. • User friendly, intuitive access to self-service. • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). • Works on Windows Terminal Server and Citrix Presentation Manager. • More robust infrastructure than GINA DLLs on Windows XP. • Deployment of intrusive software to every workstation. No other product or vendor supports as many options for assisting users locked out of their PC login screen. 4.3 Solutions for Mobile Users When users are off-site and not connected to the corporate network, they can use a telephony solution IVR to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords. A LSKA (local, secure kiosk account) , GINA extension service or credential provider are available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. These solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Hitachi ID Password Manager with something other than their domain or VPN pass- word. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation (via ActiveX). Password Manager software installed on a user’s Windows laptop enables password reset while away from the office, as follows: • The user’s PC is not physically attached to any network – the user may be at an airport, coffee shop, etc. • The user is faced with a login screen to which he does not know the password. • The user’s (forgotten) AD password is cached on the PC, to allow logins while away from the corporate network. • If the LSKA is deployed, The user signs into his workstation with the user name “help” and no pass- word. • If the GINA (Graphical Identification and Authentication library) extension service or Credential Provider is deployed, the user presses a button on the Windows login screen with a label such as “I forgot my password.” © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Managing Passwords for Mobile Users • The Password Manager client software service is started and detects (a) that there is no physical network connection but also (b) the PC has a wireless network adapter. • Password Manager scans for available WiFi hot-spots and asks the user to select one. They are ordered by signal strength, so the user normally chooses the first one (nearest AP; often public). • The user’s web browser is launched and the user may have to register, pay or accept the terms of use of the network provider. • Once the user’s PC is on the Internet, Password Manager will launch a temporary VPN connection to the corporate network. • Password Manager will launch a kiosk-mode web browser to the password reset web portal. Since the browser is in kiosk mode, the user cannot navigate to any other URL. • The user will perform a password reset in this web browser session. This will include self-identification, some form of non-password authentication (e.g., CAPTCHA + security questions + mobile phone SMS PIN) and selection of a new password. • Password Manager will use an ActiveX to re-authenticate the user’s PC to the domain, over the VPN. This has the desirable side-effect of updating the cached password on the user’s PC. • The user closes the kiosk-mode web browser. This also disconnects the VPN and terminates the WiFi session. • The user is able to sign into his PC with his new password, which has been applied both at work and to the local cache. Please note that the WiFi elements in the above sequence are optional. The user may be at work, or at home with a wired Internet connection, or using an AirCard (cell modem), or in a hotel with a wired connection. All of these alternatives also work essentially as described above. The net effect of this solution is that a solution can be deployed as follows: • A lightweight software package is deployed to every notebook computer (i.e., a small package that does not necessarily alter the GINA). • Users who forget their initial password can type “help” at the login prompt. This works when they are already attached to the corporate network, and also when they are off-site, and physically attached to a phone line or broadband connection, but not yet signed onto the corporate network. • Users may also be able to press a button in the GINA to request password assistance. This requires a somewhat more invasive client software package, but is also somewhat more user friendly. • Once a user types “help,” he may have to wait for the client component to sign onto the network. • Once signed-in, the user is presented with a kiosk-mode web interface to identify himself, authenticate, and reset passwords on both the network and his own PC. This part of the process is the same for both off-site and on-site users. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
Managing Passwords for Mobile Users 5 When Users Forget Their Remote-access Password 5.1 The Problem Mobile users normally have to attach to the corporate network periodically. This is normally done either with a dial-up session (RAS) or using a virtual private network over the Internet (VPN). When users make RAS or VPN connections, they have several authentication options, including: • Typing a password. • Using a “saved” password stored in the dialer on their PC. • Using a PKI certificate stored on their PC. • Using a hardware token. If users must type their password, and if they forget that password or trigger intruder lockout, they should access a self-service password reset system to fix their problem, rather than calling the help desk. Token users who forget their PIN, or whose token clock drifts too far away from the authentication server’s clock have similar problems with authenticating to the network. The problem here is that the user is not connected to the network, so it may be difficult to use a web-based solution. 5.2 Solutions Hitachi ID Password Manager supports several solutions for users who have a problem with their remote- access password: • Using an IVR system, a user can identify himself, authenticate and reset one or more passwords with just a telephone. Password Manager integrates with many IVR systems, including general-purpose ones that a cus- tomer may have, and specially-designed secure IVR systems that leverage biometric voice print veri- fication or hardware token authentication. For existing IVR systems, Password Manager integrates by providing a secure, remote function call library that the call logic on the IVR server can use to authenticate users and reset their passwords. Integrated solutions for biometric caller authentication are available directly from Hitachi ID Systems or from vendors such as Vocent. Hitachi ID Telephone Password Manager, a single-purpose IVR system, that can only perform pass- word resets, is also available directly from Hitachi ID Systems. • For Internet-attached users, who must authenticate to a VPN, the Password Manager web interface can be exposed on a company’s Extranet. This can be done by placing the Password Manager server in a DMZ, or using a reverse web proxy to access it on the private network. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
Managing Passwords for Mobile Users With this setup, users can reset their own forgotten VPN passwords over the Internet, and the establish a VPN connection using the new password. • Using client software and a dialer, as described in Subsection 4.3 on Page 7, workstations can be configured to dial-in or connect with a VPN using stored, special-purpose credentials. Such a con- nection can be made available to users with a locally-defined kiosk account, where users who forgot their RAS password can type “help,” authenticate, and reset their RAS password with a web browser. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
Managing Passwords for Mobile Users 6 Conclusions Both routine password management and self-service password resets present special technical challenges when applied to mobile users. These challenges include: • Managing workstation passwords. • Accessing a self-service password reset from disconnected workstations. • Accessing a self-service password reset prior to establishing a working network connection. Hitachi ID Password Manager includes technologies to address each of these problems: • An Active-X component to reset local passwords. • A workstation-installed secure kiosk account, that can activate a dialer or VPN client prior to present- ing a user interface. • Integration with IVR systems and Extranets to reset RAS and VPN passwords. While it is more difficult to setup effective password management for mobile users than for network-attached users, the payoff is higher. This is because problems experienced by mobile users are more difficult and costly to solve with traditional assisted-service methods. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
Managing Passwords for Mobile Users 7 References 7.1 Setting Up Roaming Profiles • Guide to Windows NT policies and profiles, which makes mention throughout of roaming profiles: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q161334 • Creating roaming profiles for various Windows operating system versions: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q142682 • Novell NetWare’s ZenWorks can be configured to create “volatile users” on a workstation when a user signs onto it with an ID that exists on the NDS tree but not locally. These are normally deleted at the end of a login session. The NetWare client can be configured to create “non-volatile users” which persist for a finite number of days beyond the initial network login session, and be available for off-line use. Since non-volatile users are local to the workstation, users can change these passwords while off- line. The changed password is not automatically synchronized to the network password on the next connected login session. To find out more about local user accounts created by a NetWare client, please refer to: – http://support.novell.com/cgi-bin/search/searchtid.cgi?/10062222.htm – http://support.novell.com/cgi-bin/search/searchtid.cgi?/2927129.htm – http://support.novell.com/cgi-bin/search/searchtid.cgi?/2928061.htm 7.2 IVR Vendors and Systems • General purpose: – Avaya / Lucent: http://www1.avaya.com/enterprise/who/docs/ivr/ – InterVoice-Brite: http://www.intervoicebrite.com/ – Apropos: http://www.apropos.com/ • With biometric authentication. – Vocent: http://www.vocent.com/ – Nuance: http://www.nuance.com/ • Special-purpose password reset IVR system: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
Managing Passwords for Mobile Users – Hitachi ID Telephone Password Manager, using either touch-tone caller authentication or biomet- ric voice print verification: http://Hitachi-ID.com/products/addons/idtelephony.html 7.3 Authenticating Remote Users with Hardware Tokens • RSA / SecurID: http://www.rsasecurity.com/products/securid/ • Secure Computing / SafeWord: http://www.securecomputing.com/index.cfm?sKey=688 7.4 Self-Service from the Login Prompt • Replacing the GINA: http://www.microsoft.com/WINDOWS2000/techinfo/administration/security/msgina.asp • Using a secure kiosk account: http://Hitachi-ID.com/Password-Manager/technology/arch-login.html www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/psynch/documents/mobile_users/mobile_users_4.tex Date: February 20, 2006

Recommandé

Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User ProvisioningHitachi ID Systems, Inc.
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopPortalGuard
 
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Hitachi ID Systems, Inc.
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication ManagementHitachi ID Systems, Inc.
 
Chapter 04
Chapter 04Chapter 04
Chapter 04Norhisham Mohamad Nordin
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity ManagementHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
Chapter 01
Chapter 01Chapter 01
Chapter 01Norhisham Mohamad Nordin
 

Recommandé

Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User ProvisioningHitachi ID Systems, Inc.
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopPortalGuard
 
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...
Using Hitachi ID Password Manager to Reduce Password Reset Calls at an Intern...Hitachi ID Systems, Inc.
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication ManagementHitachi ID Systems, Inc.
 
Chapter 04
Chapter 04Chapter 04
Chapter 04Norhisham Mohamad Nordin
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity ManagementHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
Chapter 01
Chapter 01Chapter 01
Chapter 01Norhisham Mohamad Nordin
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Systems, Inc.
 
Discovering Computers: Chapter 04
Discovering Computers: Chapter 04Discovering Computers: Chapter 04
Discovering Computers: Chapter 04Anna Stirling
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing ValueHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 
IRJET- Three Step Password Verification by using Random Key Order
IRJET- Three Step Password Verification by using Random Key OrderIRJET- Three Step Password Verification by using Random Key Order
IRJET- Three Step Password Verification by using Random Key OrderIRJET Journal
 
Microsoft India – Managing the Dynamic Desktop Whitepaper
Microsoft India – Managing the Dynamic Desktop WhitepaperMicrosoft India – Managing the Dynamic Desktop Whitepaper
Microsoft India – Managing the Dynamic Desktop WhitepaperMicrosoft Private Cloud
 
Chapter 03
Chapter 03Chapter 03
Chapter 03Norhisham Mohamad Nordin
 
Resume-sayan majumdar
Resume-sayan majumdarResume-sayan majumdar
Resume-sayan majumdarsayan majumdar
 
Chapter 02
Chapter 02Chapter 02
Chapter 02Norhisham Mohamad Nordin
 
Pankaj Suman (1)
Pankaj Suman (1)Pankaj Suman (1)
Pankaj Suman (1)pankaj suman
 
Durga prasad resume
Durga prasad resumeDurga prasad resume
Durga prasad resumeDurga Prasad
 
Bluetooth Based Automatic Hotel Service System Using Python
Bluetooth Based Automatic Hotel Service System Using PythonBluetooth Based Automatic Hotel Service System Using Python
Bluetooth Based Automatic Hotel Service System Using PythonIOSR Journals
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsidescitation
 
Sankalps Mlm Blaster Offer
Sankalps Mlm Blaster OfferSankalps Mlm Blaster Offer
Sankalps Mlm Blaster Offersankalptech
 
Online Help Desk ppt
Online Help Desk pptOnline Help Desk ppt
Online Help Desk pptnagarjunagoud
 
Online help desk
Online help deskOnline help desk
Online help deskJoyeeta Bagchi
 
Resume_Subhashis_Dutta
Resume_Subhashis_DuttaResume_Subhashis_Dutta
Resume_Subhashis_DuttaSubhashis Dutta
 
Help desk
Help deskHelp desk
Help deskEr Girdhari Lal Kumawat
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Systems, Inc.
 

Contenu connexe

Tendances

Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Discovering Computers: Chapter 04
Discovering Computers: Chapter 04Discovering Computers: Chapter 04
Discovering Computers: Chapter 04Anna Stirling
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 
IRJET- Three Step Password Verification by using Random Key Order
IRJET- Three Step Password Verification by using Random Key OrderIRJET- Three Step Password Verification by using Random Key Order
IRJET- Three Step Password Verification by using Random Key OrderIRJET Journal
 
Microsoft India – Managing the Dynamic Desktop Whitepaper
Microsoft India – Managing the Dynamic Desktop WhitepaperMicrosoft India – Managing the Dynamic Desktop Whitepaper
Microsoft India – Managing the Dynamic Desktop WhitepaperMicrosoft Private Cloud
 
Durga prasad resume
Durga prasad resumeDurga prasad resume
Durga prasad resumeDurga Prasad
 
Bluetooth Based Automatic Hotel Service System Using Python
Bluetooth Based Automatic Hotel Service System Using PythonBluetooth Based Automatic Hotel Service System Using Python
Bluetooth Based Automatic Hotel Service System Using PythonIOSR Journals
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsidescitation
 
Sankalps Mlm Blaster Offer
Sankalps Mlm Blaster OfferSankalps Mlm Blaster Offer
Sankalps Mlm Blaster Offersankalptech
 
Online Help Desk ppt
Online Help Desk pptOnline Help Desk ppt
Online Help Desk pptnagarjunagoud
 

Tendances (20)

Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
 
Discovering Computers: Chapter 04
Discovering Computers: Chapter 04Discovering Computers: Chapter 04
Discovering Computers: Chapter 04
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioning
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
 
IRJET- Three Step Password Verification by using Random Key Order
IRJET- Three Step Password Verification by using Random Key OrderIRJET- Three Step Password Verification by using Random Key Order
IRJET- Three Step Password Verification by using Random Key Order
 
Microsoft India – Managing the Dynamic Desktop Whitepaper
Microsoft India – Managing the Dynamic Desktop WhitepaperMicrosoft India – Managing the Dynamic Desktop Whitepaper
Microsoft India – Managing the Dynamic Desktop Whitepaper
 
Chapter 03
Chapter 03Chapter 03
Chapter 03
 
Resume-sayan majumdar
Resume-sayan majumdarResume-sayan majumdar
Resume-sayan majumdar
 
Chapter 02
Chapter 02Chapter 02
Chapter 02
 
Pankaj Suman (1)
Pankaj Suman (1)Pankaj Suman (1)
Pankaj Suman (1)
 
Durga prasad resume
Durga prasad resumeDurga prasad resume
Durga prasad resume
 
Bluetooth Based Automatic Hotel Service System Using Python
Bluetooth Based Automatic Hotel Service System Using PythonBluetooth Based Automatic Hotel Service System Using Python
Bluetooth Based Automatic Hotel Service System Using Python
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIs
 
Sankalps Mlm Blaster Offer
Sankalps Mlm Blaster OfferSankalps Mlm Blaster Offer
Sankalps Mlm Blaster Offer
 
Online Help Desk ppt
Online Help Desk pptOnline Help Desk ppt
Online Help Desk ppt
 
Online help desk
Online help deskOnline help desk
Online help desk
 
Resume_Subhashis_Dutta
Resume_Subhashis_DuttaResume_Subhashis_Dutta
Resume_Subhashis_Dutta
 
Help desk
Help deskHelp desk
Help desk
 

Similaire à Managing Passwords for Mobile Users

Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Systems, Inc.
 
Secure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsSecure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsHitachi ID Systems, Inc.
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressedA MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressedMotasem Al Amour
 
Fractalia manager whitepaper_en_5_2_2
Fractalia manager whitepaper_en_5_2_2Fractalia manager whitepaper_en_5_2_2
Fractalia manager whitepaper_en_5_2_2Fractalia
 
Propalms Centralized Computing Solution Document
Propalms Centralized Computing Solution DocumentPropalms Centralized Computing Solution Document
Propalms Centralized Computing Solution DocumentVijender Yadav
 
Github-Source code management system SRS
Github-Source code management system SRSGithub-Source code management system SRS
Github-Source code management system SRSAditya Narayan Swami
 
IRJET- Security in Ad-Hoc Network using Encrypted Data Transmission and S...
IRJET- Security in Ad-Hoc Network using Encrypted Data Transmission and S...IRJET- Security in Ad-Hoc Network using Encrypted Data Transmission and S...
IRJET- Security in Ad-Hoc Network using Encrypted Data Transmission and S...IRJET Journal
 
E-Commerce Mobile Sale System
E-Commerce Mobile Sale SystemE-Commerce Mobile Sale System
E-Commerce Mobile Sale SystemAbhishek Kumar
 
DATA SECURITY ON VIRTUAL ENVIRONMENT USING ENCRYPTION STANDARDS
DATA SECURITY ON VIRTUAL ENVIRONMENT USING ENCRYPTION STANDARDSDATA SECURITY ON VIRTUAL ENVIRONMENT USING ENCRYPTION STANDARDS
DATA SECURITY ON VIRTUAL ENVIRONMENT USING ENCRYPTION STANDARDSIRJET Journal
 
2 d barcode based mobile payment system
2 d barcode based mobile payment system2 d barcode based mobile payment system
2 d barcode based mobile payment systemParag Tamhane
 
IRJET- Verbal Authentication for Personal Digital Assistants
IRJET- Verbal Authentication for Personal Digital AssistantsIRJET- Verbal Authentication for Personal Digital Assistants
IRJET- Verbal Authentication for Personal Digital AssistantsIRJET Journal
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMIRJET Journal
 

Similaire à Managing Passwords for Mobile Users (20)

Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity Manager
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security Analysis
 
Secure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsSecure Management of Access to Privileged Accounts
Secure Management of Access to Privileged Accounts
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged Passwords
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Self-service Password Reset
Self-service Password ResetSelf-service Password Reset
Self-service Password Reset
 
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressedA MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
 
Fractalia manager whitepaper_en_5_2_2
Fractalia manager whitepaper_en_5_2_2Fractalia manager whitepaper_en_5_2_2
Fractalia manager whitepaper_en_5_2_2
 
Propalms Centralized Computing Solution Document
Propalms Centralized Computing Solution DocumentPropalms Centralized Computing Solution Document
Propalms Centralized Computing Solution Document
 
Github-Source code management system SRS
Github-Source code management system SRSGithub-Source code management system SRS
Github-Source code management system SRS
 
IRJET- Security in Ad-Hoc Network using Encrypted Data Transmission and S...
IRJET- Security in Ad-Hoc Network using Encrypted Data Transmission and S...IRJET- Security in Ad-Hoc Network using Encrypted Data Transmission and S...
IRJET- Security in Ad-Hoc Network using Encrypted Data Transmission and S...
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
 
Selecting a Password Management Product
Selecting a Password Management ProductSelecting a Password Management Product
Selecting a Password Management Product
 
E-Commerce Mobile Sale System
E-Commerce Mobile Sale SystemE-Commerce Mobile Sale System
E-Commerce Mobile Sale System
 
Password Management Project Roadmap
Password Management Project RoadmapPassword Management Project Roadmap
Password Management Project Roadmap
 
DATA SECURITY ON VIRTUAL ENVIRONMENT USING ENCRYPTION STANDARDS
DATA SECURITY ON VIRTUAL ENVIRONMENT USING ENCRYPTION STANDARDSDATA SECURITY ON VIRTUAL ENVIRONMENT USING ENCRYPTION STANDARDS
DATA SECURITY ON VIRTUAL ENVIRONMENT USING ENCRYPTION STANDARDS
 
Ecommerce srs
Ecommerce srsEcommerce srs
Ecommerce srs
 
2 d barcode based mobile payment system
2 d barcode based mobile payment system2 d barcode based mobile payment system
2 d barcode based mobile payment system
 
IRJET- Verbal Authentication for Personal Digital Assistants
IRJET- Verbal Authentication for Personal Digital AssistantsIRJET- Verbal Authentication for Personal Digital Assistants
IRJET- Verbal Authentication for Personal Digital Assistants
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSM
 

Plus de Hitachi ID Systems, Inc.

Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 

Plus de Hitachi ID Systems, Inc. (20)

Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 

Dernier

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Dernier (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Managing Passwords for Mobile Users

  • 1. Managing Passwords for Mobile Users © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 2. Knowledge workers are increasingly mobile, and frequently have to connect to internal I.T. resources from outside the enterprise network. Mobile users must manage passwords both on their own notebook computers and on networked systems. Managing passwords for mobile users is more challenging than managing passwords to network-attached users. Unique technical problems include managing local passwords on thousands of devices, coping with cached credentials and supporting mobile users who forgot their initial sign-on password. This document describes how Hitachi ID Password Manager addresses the technical challenges of manag- ing passwords for mobile users. Contents 1 Confidentiality 1 2 Introduction 2 3 Making Routine Changes to Local Passwords 3 3.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 When Users Forget Their Initial Password 4 4.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2 The Solution for Network-attached Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.3 Solutions for Mobile Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5 When Users Forget Their Remote-access Password 9 5.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6 Conclusions 11 7 References 12 7.1 Setting Up Roaming Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.2 IVR Vendors and Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.3 Authenticating Remote Users with Hardware Tokens . . . . . . . . . . . . . . . . . . . . . . 13 7.4 Self-Service from the Login Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 i
  • 3. Managing Passwords for Mobile Users 1 Confidentiality This document describes key technology developed by Hitachi ID Systems to support customer require- ments for an enterprise-class, high-availability, high-throughput password synchronization system. This technology is proprietary, and the design considerations described herein are not widely understood in the password management, and in particular in the password reset market segment. Moreover, patent applications have been filed regarding some of the technology described herein. This document is made available to current and prospective Hitachi ID Systems customers to help them understand how best to select and deploy an effective password synchronization system. In an effort to maintain Hitachi ID Systems’s technological lead in the password management market seg- ment, the reader is asked to refrain from discussing detailed design objectives and solutions herein with other vendors of provisioning, identity management or password management technologies. Please keep this document confidential. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 4. Managing Passwords for Mobile Users 2 Introduction Knowledge workers are increasingly mobile, and frequently have to connect to internal I.T. resources from outside the enterprise network. Mobile users must manage passwords both on their own notebook computers and on networked systems. Managing passwords for mobile users is more challenging than managing passwords to network-attached users. Unique technical problems include managing local passwords on thousands of devices, coping with cached credentials and supporting mobile users who forgot their initial sign-on password. This document describes how Hitachi ID Password Manager addresses the technical challenges of manag- ing passwords for mobile users. The remainder of this document is organized into sections that describe challenges specific to managing passwords for mobile users, and how Password Manager addresses each problem. • Managing local passwords Managing local passwords using a network-attached password management system. • When users forget their initial password Providing self-service assistance to users who forget their initial password, including both network- attached and off-line users. • When users forget their remote-access password Providing self-service assistance to off-site users who forgot or disabled the password they use to connect to the network. • Conclusions A summary of the challenges of password management for mobile users, and of Password Manager solutions. • References Relevant reference material on the Internet. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 5. Managing Passwords for Mobile Users 3 Making Routine Changes to Local Passwords 3.1 The Problem Users with fixed PCs in a networked environment typically log into their workstations with a login ID and password that are actually validated by a network operating system, such as a Windows Active Directory or Novell NetWare NDS / eDirectory. This is convenient, because a networked password management system does not have to directly interact with user IDs or passwords stored on individual PCs. Instead, it simply manipulates passwords on the network operating system or directory. In contrast, mobile users must be able to sign into their workstations even when they are not connected to the network. That means that they must either be able to log into their workstation without a password, or else their login ID and password must be physically stored on their own computer. User IDs and passwords that are managed locally on a workstation may either be local to that computer, or else they may be cached copies of credentials that are normally maintained on a network operating system or directory (Active Directory, eDirectory, etc.). In either case, a central, networked password management system must be able to update passwords stored on individual computers. This implies either sophisticated technology to “reach back” to workstations, or software that is installed on each and every mobile computer. 3.2 Solutions In most corporate environments, users sign into disconnected workstations with cached network creden- tials. In this case, the problem of managing local passwords is somewhat reduced, as users are normally prohibited from changing their passwords while off-line. If mobile users log into their workstations with a local ID, rather than a cached copy of a network ID, then Hitachi ID Password Manager can use an Active-X component to reset local passwords. This component is only available for web-based, self-service password updates (both routine changes and resets due to a forgotten password). Since an interactive web browser session is required, this method is not suitable for use with transparent password synchronization, for assisted password resets, or for telephony- based password resets, none of which involve a web browser session on the user’s workstation. The component is inserted into the password reset results page. It is downloaded by the user’s web browser (Note: only IE supports Active-X components), and executes locally on the user’s workstation. To run, it may either use a network administrator account with local privileges on each workstation, or else a local administrative account must be configured on each workstation, and be available for this component. An installation program is available with Password Manager to create a local administrator account on each workstation, and to set its password to a random value. This program can be used in conjunction with a software distribution system like SMS to create a suitable account on every workstation where it may be required. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 6. Managing Passwords for Mobile Users 4 When Users Forget Their Initial Password 4.1 The Problem When users forget a password or accidentally trigger an intruder lockout, their problem is frequently with their initial login. This presents some special problems: • Self-service solutions are generally web based, and this is true of password reset systems as well. • Users who need to access a self-service system for password reset therefore need access to a web browser. If their problem is with their initial login, then they don’t yet have access to their own desktop, and so can’t launch a web browser. • As a result, users who forget their own password cannot, without special measures, easily take ad- vantage of a self-service solution. The above problems are true of connected office workers, as well as mobile users. For mobile users, a self-service password reset system has extra challenges: • The self-service system must be accessible from the login prompt of workstations that are not yet network attached. This requires a client software footprint. • The self-service client software must establish a network connection to the server component – with- out much user input. • The self-service system must be able to reset local passwords, as described in Section 3 on Page 3. 4.2 The Solution for Network-attached Users For network-attached users, this problem can be overcome in several ways: When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to fix their password and make it possible to log in. Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked out of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described below: Option Pros Cons 1 Do nothing: users continue to call the help desk. • Inexpensive, nothing to deploy. • The help desk continues to field a high password reset call volume. • No solution for local passwords or mobile users. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 7. Managing Passwords for Mobile Users Option Pros Cons 2 Ask a neighbor: Use someone else’s web browser to access self-service password reset. • Inexpensive, no client software to deploy. • Users may be working alone or at odd hours. • No solution for local passwords or mobile users. • Wastes time for two users, rather than one. • May violate a security policy in some organizations. 3 Secure kiosk account (SKA): Sign into any PC with a generic ID such as “help” and no password. This launches a kiosk-mode web browser directed to the password reset web page. • Simple, inexpensive deployment, with no client software component. • Users can reset both local and network passwords. • Introduces a “generic” account on the network, which may violate policy, no matter how well it is locked down. • One user can trigger an intruder lockout on the “help” account, denying service to other users who require a password reset. • Does not help mobile users. 4 Personalized SKA: Same as the domain-wide SKA above, but the universal “help” account is replaced with one personal account per user. For example, each user’s “help” account could have their employee number for a login ID and a combination of their SSN and date of birth for a password. • Eliminates the “guest” account on the domain, which does not have a password. • Requires creation of thousands of additional domain accounts. • Requires ongoing creation and deletion of domain accounts. • These new accounts are special – their passwords do not expire and would likely not meet strength rules. 5 Local SKA: Same as the domain-wide SKA above, but the “help” account is created on each computer, rather than on the domain. • Eliminates the “guest” account on the domain. • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). • Requires a small footprint on each computer (the local “help” account.) © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 8. Managing Passwords for Mobile Users Option Pros Cons 6 Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identifier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password. • Simple deployment of centralized infrastructure. • No client software impact. • May leverage an existing IVR (interactive voice response) system. • Helpful for remote users who need assistance connecting to the corporate VPN. • New physical infrastructure is usually required. • Users generally don’t like to “talk to a machine” so adoption rates are lower than with a web portal. • Does not help mobile users who forgot their cached domain password. • Does not help unlock PINs on smart cards. 8 Physical kiosks: Deploy physical Intranet kiosks at each office location. • Eliminates generic or guest accounts. • May be used by multiple applications that are suitable for physically-present but unauthenticated users (e.g., phone directory lookup, badge management, etc.). • Costly to deploy – hardware at many locations. • Does not help mobile users who forgot their cached domain password. • Users may prefer to call the help desk, rather than walking over to a physical kiosk. 9 GINA DLL: Windows XP: Install a GINA DLL on user computers, which adds a “reset my password” button to the login screen. • User friendly, intuitive access to self-service. • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). • Works on Windows Terminal Server and Citrix Presentation Manager. • Requires intrusive software to be installed on every computer. • Broken installation or out-of-order un-installation will render the computer inoperable (i.e., “brick the PC”). 10 GINA Extension Service: Similar to the GINA DLL, but uses a sophisticated service infrastructure to modify the UI of the native GINA, rather than installing a GINA DLL. • User friendly, intuitive access to self-service. • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). • More robust, fault-tolerant installation process than the GINA DLL. • Requires software to be installed on every computer. • Does not work on Citrix Presentation Server or Windows Terminal Server – only works on personal computers. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 9. Managing Passwords for Mobile Users Option Pros Cons 11 Credential Provider: The equivalent of a GINA DLL, but for the login infrastructure on Windows Vista/7/8. • User friendly, intuitive access to self-service. • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). • Works on Windows Terminal Server and Citrix Presentation Manager. • More robust infrastructure than GINA DLLs on Windows XP. • Deployment of intrusive software to every workstation. No other product or vendor supports as many options for assisting users locked out of their PC login screen. 4.3 Solutions for Mobile Users When users are off-site and not connected to the corporate network, they can use a telephony solution IVR to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords. A LSKA (local, secure kiosk account) , GINA extension service or credential provider are available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. These solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Hitachi ID Password Manager with something other than their domain or VPN pass- word. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation (via ActiveX). Password Manager software installed on a user’s Windows laptop enables password reset while away from the office, as follows: • The user’s PC is not physically attached to any network – the user may be at an airport, coffee shop, etc. • The user is faced with a login screen to which he does not know the password. • The user’s (forgotten) AD password is cached on the PC, to allow logins while away from the corporate network. • If the LSKA is deployed, The user signs into his workstation with the user name “help” and no pass- word. • If the GINA (Graphical Identification and Authentication library) extension service or Credential Provider is deployed, the user presses a button on the Windows login screen with a label such as “I forgot my password.” © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 10. Managing Passwords for Mobile Users • The Password Manager client software service is started and detects (a) that there is no physical network connection but also (b) the PC has a wireless network adapter. • Password Manager scans for available WiFi hot-spots and asks the user to select one. They are ordered by signal strength, so the user normally chooses the first one (nearest AP; often public). • The user’s web browser is launched and the user may have to register, pay or accept the terms of use of the network provider. • Once the user’s PC is on the Internet, Password Manager will launch a temporary VPN connection to the corporate network. • Password Manager will launch a kiosk-mode web browser to the password reset web portal. Since the browser is in kiosk mode, the user cannot navigate to any other URL. • The user will perform a password reset in this web browser session. This will include self-identification, some form of non-password authentication (e.g., CAPTCHA + security questions + mobile phone SMS PIN) and selection of a new password. • Password Manager will use an ActiveX to re-authenticate the user’s PC to the domain, over the VPN. This has the desirable side-effect of updating the cached password on the user’s PC. • The user closes the kiosk-mode web browser. This also disconnects the VPN and terminates the WiFi session. • The user is able to sign into his PC with his new password, which has been applied both at work and to the local cache. Please note that the WiFi elements in the above sequence are optional. The user may be at work, or at home with a wired Internet connection, or using an AirCard (cell modem), or in a hotel with a wired connection. All of these alternatives also work essentially as described above. The net effect of this solution is that a solution can be deployed as follows: • A lightweight software package is deployed to every notebook computer (i.e., a small package that does not necessarily alter the GINA). • Users who forget their initial password can type “help” at the login prompt. This works when they are already attached to the corporate network, and also when they are off-site, and physically attached to a phone line or broadband connection, but not yet signed onto the corporate network. • Users may also be able to press a button in the GINA to request password assistance. This requires a somewhat more invasive client software package, but is also somewhat more user friendly. • Once a user types “help,” he may have to wait for the client component to sign onto the network. • Once signed-in, the user is presented with a kiosk-mode web interface to identify himself, authenticate, and reset passwords on both the network and his own PC. This part of the process is the same for both off-site and on-site users. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 11. Managing Passwords for Mobile Users 5 When Users Forget Their Remote-access Password 5.1 The Problem Mobile users normally have to attach to the corporate network periodically. This is normally done either with a dial-up session (RAS) or using a virtual private network over the Internet (VPN). When users make RAS or VPN connections, they have several authentication options, including: • Typing a password. • Using a “saved” password stored in the dialer on their PC. • Using a PKI certificate stored on their PC. • Using a hardware token. If users must type their password, and if they forget that password or trigger intruder lockout, they should access a self-service password reset system to fix their problem, rather than calling the help desk. Token users who forget their PIN, or whose token clock drifts too far away from the authentication server’s clock have similar problems with authenticating to the network. The problem here is that the user is not connected to the network, so it may be difficult to use a web-based solution. 5.2 Solutions Hitachi ID Password Manager supports several solutions for users who have a problem with their remote- access password: • Using an IVR system, a user can identify himself, authenticate and reset one or more passwords with just a telephone. Password Manager integrates with many IVR systems, including general-purpose ones that a cus- tomer may have, and specially-designed secure IVR systems that leverage biometric voice print veri- fication or hardware token authentication. For existing IVR systems, Password Manager integrates by providing a secure, remote function call library that the call logic on the IVR server can use to authenticate users and reset their passwords. Integrated solutions for biometric caller authentication are available directly from Hitachi ID Systems or from vendors such as Vocent. Hitachi ID Telephone Password Manager, a single-purpose IVR system, that can only perform pass- word resets, is also available directly from Hitachi ID Systems. • For Internet-attached users, who must authenticate to a VPN, the Password Manager web interface can be exposed on a company’s Extranet. This can be done by placing the Password Manager server in a DMZ, or using a reverse web proxy to access it on the private network. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 12. Managing Passwords for Mobile Users With this setup, users can reset their own forgotten VPN passwords over the Internet, and the establish a VPN connection using the new password. • Using client software and a dialer, as described in Subsection 4.3 on Page 7, workstations can be configured to dial-in or connect with a VPN using stored, special-purpose credentials. Such a con- nection can be made available to users with a locally-defined kiosk account, where users who forgot their RAS password can type “help,” authenticate, and reset their RAS password with a web browser. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 13. Managing Passwords for Mobile Users 6 Conclusions Both routine password management and self-service password resets present special technical challenges when applied to mobile users. These challenges include: • Managing workstation passwords. • Accessing a self-service password reset from disconnected workstations. • Accessing a self-service password reset prior to establishing a working network connection. Hitachi ID Password Manager includes technologies to address each of these problems: • An Active-X component to reset local passwords. • A workstation-installed secure kiosk account, that can activate a dialer or VPN client prior to present- ing a user interface. • Integration with IVR systems and Extranets to reset RAS and VPN passwords. While it is more difficult to setup effective password management for mobile users than for network-attached users, the payoff is higher. This is because problems experienced by mobile users are more difficult and costly to solve with traditional assisted-service methods. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
  • 14. Managing Passwords for Mobile Users 7 References 7.1 Setting Up Roaming Profiles • Guide to Windows NT policies and profiles, which makes mention throughout of roaming profiles: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q161334 • Creating roaming profiles for various Windows operating system versions: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q142682 • Novell NetWare’s ZenWorks can be configured to create “volatile users” on a workstation when a user signs onto it with an ID that exists on the NDS tree but not locally. These are normally deleted at the end of a login session. The NetWare client can be configured to create “non-volatile users” which persist for a finite number of days beyond the initial network login session, and be available for off-line use. Since non-volatile users are local to the workstation, users can change these passwords while off- line. The changed password is not automatically synchronized to the network password on the next connected login session. To find out more about local user accounts created by a NetWare client, please refer to: – http://support.novell.com/cgi-bin/search/searchtid.cgi?/10062222.htm – http://support.novell.com/cgi-bin/search/searchtid.cgi?/2927129.htm – http://support.novell.com/cgi-bin/search/searchtid.cgi?/2928061.htm 7.2 IVR Vendors and Systems • General purpose: – Avaya / Lucent: http://www1.avaya.com/enterprise/who/docs/ivr/ – InterVoice-Brite: http://www.intervoicebrite.com/ – Apropos: http://www.apropos.com/ • With biometric authentication. – Vocent: http://www.vocent.com/ – Nuance: http://www.nuance.com/ • Special-purpose password reset IVR system: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
  • 15. Managing Passwords for Mobile Users – Hitachi ID Telephone Password Manager, using either touch-tone caller authentication or biomet- ric voice print verification: http://Hitachi-ID.com/products/addons/idtelephony.html 7.3 Authenticating Remote Users with Hardware Tokens • RSA / SecurID: http://www.rsasecurity.com/products/securid/ • Secure Computing / SafeWord: http://www.securecomputing.com/index.cfm?sKey=688 7.4 Self-Service from the Login Prompt • Replacing the GINA: http://www.microsoft.com/WINDOWS2000/techinfo/administration/security/msgina.asp • Using a secure kiosk account: http://Hitachi-ID.com/Password-Manager/technology/arch-login.html www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/psynch/documents/mobile_users/mobile_users_4.tex Date: February 20, 2006