Password Self-Service
Adaxes password self-service solves one of the most common problems for any organization – forgotten passwords in Active Directory. Indeed, why should users torment your help desk with daily password reset tickets when every modern system allows them to reset their password? Why AD, the core of your identity management, should be an exception?
If you are lucky enough to have a hybrid environment and Microsoft Entra joined computers, your users can at least rely on the native Microsoft Entra self-service password reset. It works, it is getting better every year, but it still has certain limitations. For example, if a macOS user forgets their password, they are out of luck. Users who are out of office or have no internet connection are also in the same boat.
If you are not in hybrid, you are more or less forced to handle password resets the old school way, compromising the productivity of your help desk and your users. But with Adaxes, it does not have to be this way.
How SSPR works in Adaxes
The starting point for self-service password reset is the Reset password link. You can let users access it from the Adaxes Web interface via an ordinary web browser on any device, integrate it into your own portals or applications, or add it directly to the login screen of the users' Windows / macOS workstations.
Once a user comes to a conclusion they forgot their password and clicks the link, they will need to follow an identity verification procedure before Adaxes will allow them to reset their password. The procedure can require one or a combination of the following options:
- Answering security questions
- Entering a code sent to the user by SMS or email
- Entering a code from an authenticator app on their mobile device (Google Authenticator, Authy, etc.)
You can set up different password self-service policies to strike a balance between ease of use and security. For example, an authenticator app might be sufficient for ordinary accounts, but resetting the password of a privileged account will require all of the above identity verification methods and will allow fewer failed attempts.
After the identity is verified, users can unlock their account, reset their password, log in, and finally start working. As simple as that!
How to configure password self-service
Offline and out-of-office
Adaxes allows users to reset their passwords even when they are not on the corporate network. For example, when users take domain-connected laptops home or on a business trip and forget their password, normally they would be unable to use their devices until they come back, even if somebody from the help desk resets their password in AD.
But with Adaxes, users can simply go through the same password self-service procedure and log in to the laptop with their new password. No VPN or other tools required.
More about out-of-office and offline self-service password reset
Security
Adaxes employs several concepts that maximize the security of your environment while retaining the simplicity of the self-service password reset process.
First of all, Adaxes can automatically block access to password self-service after a certain number of failed attempts. This eliminates the possibility of brute-force attacks and hinders any suspicious activity of malicious actors.
Secondly, you can set up email notifications for successful password resets. This way, users will be able to timely notify the IT department if they had no hand in resetting their password.
Finally, you can add an approval step to self-service password resets as an extra security measure. After a user successfully confirms their identity and specifies the new password, Adaxes will not reset it in your directory right away. Instead, it will send an approval request to a predefined person – a member of the IT staff, the manager of the user, their colleagues, etc.
How to request approval for self-password reset
Enrollment
Okay, we lied to you a bit when we said that password self-service starts with clicking the Reset password button. It actually starts with enrollment – a one-time procedure that requires each user to provide answers for security questions or install and activate the authenticator app on their mobile device.
To make sure that all users are enrolled, Adaxes can regularly send them email reminders, display the enrollment invitation balloons in the system notification area, display a pop-up every time users log in to the Web interface, etc.
If you don't want to rely on the initiative of your users, you can enroll them automatically. Answers for security questions can be generated based on the user properties in your directory or taken from any other data source. You can even automate the enrollment of future users, so that everyone has access to password self-service from their first working day.
How to autoenroll users for self-password reset
Monitoring
Adaxes has a monitoring system with several key metrics that can give you helpful insights into the health of password self-service in your environment. You can keep an eye on the enrollment status, successful and failed self-password reset attempts, and users locked from password self-service.
Any problems that might come up can be easily identified and solved in no time. For example, if a certain policy results in many failed password reset attempts, administrators might need to make that policy less strict. If a certain account constantly gets locked from password self-service, you might need to carry out a security investigation or additional training with that user.
With password self-service in place, you can make password resets reliable and available to everyone, everywhere, and at any time. Coupled with more breathing room for your help desk, the overall productivity of your environment will skyrocket. Password self-service is a simple but powerful tool that is almost essential to have nowadays, especially for large organizations.
Besides, Adaxes offers a lot more than just self-service password resets. With more free time on hand, your help desk, maybe, can start participating more in managing your AD and Entra ID?