Password self-service: out-of-office and offline
Users forget their passwords, help desk resets them – it is the natural way of things. Having a password self-service system in place is an improvement over the natural way, a first step to a hassle-free workplace for everyone.
However, everything breaks when users forget their password while they are not connected to the company network. Work from home has weaved its way into our everyday lives, and we have to account for it. This is where Adaxes comes to the rescue once again.
Out-of-office password self-service
Remote employees, those who take their laptops home every other day or so – all of them are vulnerable to being completely locked out of their work computer if they forget their password. Even if they call the help desk and ask to reset it, their computer will be unable to get the new password without a connection to a domain controller.
You would think that Microsoft Entra ID has the self-service password reset feature, but even Microsoft Entra-joined computers in a hybrid deployment scenario are susceptible to the same issue. No connection to a DC equals no password reset for you.
With Adaxes, however, such users are out of trouble. Adaxes self-service client is a little tool that can enable them to reset their password from the computer login screen, even from out-of-office. It is available for Windows and Mac, so no one is left out. All you have to do is deploy it beforehand.
The self-service client adds a Forgot your password link to the login screen. Once a user clicks it, they will be asked to verify their identity according to the policy you have configured. Questions and answers, SMS, mobile authenticator app, any of these can be used in any combination, or even everything at once for extra privileged identities.
When the identity verification is complete, Adaxes will reset the password in AD and update the local credentials cache on the computer in one fell swoop. The user will be able to log in immediately, and their new password will be valid when they eventually connect to the company network.
Offline password self-service
Being offline nowadays is rare. Forgetting your password while offline is even more rare. Nevertheless, it can happen. Imagine a traveling sales rep that has just checked into a hotel and decided to forget their password. The Wi-Fi connectivity on the login screen was preemptively disabled via GPO. There is no way in... or is there?
Luckily, Adaxes self-service client supports such scenarios as well. Offline password reset works similarly to out-of-office password reset, except the user needs the help of another device to reset the computer password.
This time, when a user clicks on the Forgot your password link, Adaxes detects that the computer is not on the Internet. It generates a request key and a link that the user needs to open on another device, for instance, their mobile phone.
From then on, it is the same 'verify your identity, reset your password' process, except during the final step Adaxes will provide the user with a response key which they will need to enter on their computer along with the new password.
The self-service client will validate the response key and update the local credentials cache if the key is correct. As simple as that, a forgotten password becomes no more than a minute nuisance.
Security
So how secure is it? After all, we are dealing with resetting passwords and transmitting sensitive data over the Internet. Well, Adaxes does not make any compromises on security. A combination of encryption algorithms is used throughout the entire self-reset procedure to ensure there is no chance to intercept the new password in transit. A more in-depth description of all the security measures can be found here.
Rest assured, Adaxes offers a tried and tested method to take password self-service a step further and spread it beyond your company premises. Wherever your users work from, you can be sure that forgotten passwords won't be an unsolvable problem anymore.
