Self-Service Password Reset

(1)Users who have forgotten a password or triggered an intruder lockout can sign into P-Synch® with another form of authentication to perform self-service password reset. Supported authentication factors include answering personal questions in the form of Q-A (Question-and-Answer), using a hardware token (e.g., SecurID, SafeWord), using a biometric sample and smart cards.

Automated password reset allows locked out users to reset their own passwords, effectively addressing the problem of forgotten passwords. P-Synch creates a secure and efficient process for users to reset their passwords, thus minimizing the help desk call volume and time spent with the help desk resetting the passwords.

Once authenticated, users can reset their own passwords without calling the help desk. Tickets can be automatically created on a call tracking system.

Self-service password reset is available from:

A web browser from either the user's own computer or that of a neighbor
The login prompt of the user's own workstation
This is possible with a domain-level SKA (secure kiosk account) that does not require a client software installation, a local SKA (secure kiosk account), or a GINA (Graphical Identification and Authentication library) DLL inserted ahead of the existing network client GINA (Graphical Identification and Authentication library) on user workstations.
A telephone from which the user dials the help desk ACD (automatic call distribution), and is directed to an IVR (interactive voice response) system that provides a password reset service
A P-Synch API (application programming interface) allows existing IVR (interactive voice response) systems to be extended to provide password resets. ID-Telephony®, a turn-key IVR (interactive voice response) system, is also available, using either numeric Q-A (Question-and-Answer) or biometric voice print verification for caller authentication.

Process

Self-service password reset works as follows:

If users have forgotten or locked out their initial workstation login password, they can access a kiosk-mode web browser either by typing help and pressing enter (as described below), or by pushing a help button on the login screen, using an optional GINA (Graphical Identification and Authentication library) DLL deployed to the desktop, thus starting the process to recover or reset the password.

User: forgets password or triggers intruder lockout.
User: types `help' at the login prompt of his own workstation, enters a blank (no password) or easy-to-remember password and presses Enter.
Workstation: logs "help" user into the domain.
Workstation: applies "help" security policy.
Workstation: launches UNC from P-Synch server as a replacement shell.
P-Synch shell: finds user's default web browser in registry.
P-Synch shell: launches web browser in kiosk mode to P-Synch self-service password reset URL.
(2) P-Synch web server: prompts user to type his network login ID.
User: types his network login ID.
P-Synch web server: prompts user to answer some personal questions.
User: types answers to personal questions.
P-Synch web server: validates user-entered answers (internally or against an existing directory / database / etc.).
... repeat previous steps as many times as required, with different sets of questions or a security token.
P-Synch web server: prompts user to enter a new password.
User: types a new password, selects some or all accounts.
P-Synch web server: validates password quality, possibly returns user to previous step.
P-Synch web server: resets password on selected systems to the new value.
P-Synch web server: displays a status page to the user.
P-Synch web server: writes a ticket to a call tracking system.
P-Synch web server: sends the user a confirmation e-mail.

User Interfaces

Self-service password reset is available from a web browser, from the workstation login prompt and from a telephone, as described here.