Play movie

Content:

• A user has either forgotten his password or triggered an intruder lockout.
• The user's PC runs Windows 7.
• The user wishes to unlock his account without calling the help desk.

Key concepts:

• Access to SSPR is available as a credential provider (CP).
• The CP can be installed on Windows Vista and Windows 7 workstations.

Play movie

Content:

• A user has either forgotten his password or triggered an intruder lockout.
• The user's PC runs Windows XP.
• The user wishes to unlock his account without calling the help desk.

Key concepts:

• Access to SSPR is available as service installed on Windows XP workstations.
• The service is not a GINA DLL. Instead, it adds UI elements to the native GINA on the fly.
• This architecture is less risky than installing a DLL into the GINA DLL chain.

Play movie

Content:

• A user has either forgotten his password or triggered an intruder lockout.
• The user's PC runs any version of Windows.
• The user wishes to unlock his account without calling the help desk.

Key concepts:

• Access to SSPR is available using a secure kiosk account.
• This approach eliminates the need to install any software on the PC.
• The trade-off is a special domain account, typically called help which every user can sign into but which has minimal security entitlements.

Play movie

Content:

• A user has been invited to fill in a form with security questions and answers.
• This animation starts after:
  • The user has clicked a link in an e-mail, or
  • a browser window was automatically launched at PC login.
  • The user has already authenticated to Hitachi ID Password Manager (formerly P-Synch) with a password, token or smart card.

Key concepts:

• Policy is used to combine user-chosen and standardized questions.
• Some questions may be accessible to the help desk.
• Some questions may be suitable for telephone authentication.
• Usually only a random subset of enrolled questions is used to authenticate a user.

Play movie

Content:

• A user has been invited to fill in a form with login IDs and passwords.
• This animation starts after the user has been invited and has authenticated.
• Multiple authentication steps - security questions, login IDs, biometrics, etc. are normally integrated into a single process.

Key concepts:

• This process eliminates the need to "match" profile data on different systems (can be costly, unreliable).
• Users don't need to know what a system is "officially" called, eliminating a common cause of misunderstanding between users and IT staff.
• Users must "prove possession" by providing a correct password, making this process totally secure.

Play movie

Content:

• A user has forgotten the PIN for his RSA SecurID token.
• Using self-service, he can choose a new PIN.

Key concepts:

• Token PIN reset is more commonly accessed via telephone, since tokens are often used to establish a VPN connection.
• Other self-service options include issuing emergency access codes and disabling the token (e.g., if it was lost).

Play movie

Content:

• A user is reminded, via e-mail, to change passwords.

Key concepts:

• Users never volunteer to change passwords.
• Mobile users are not reminded to change passwords by Windows, so an e-mail helps them avoid lockouts.
• An interactive web UI can educate users about password policy and in-scope systems, so is often preferable to the Windows "Ctrl-Alt-Del" UI.

Play movie

Content:

• The experience of a help desk analyst resetting passwords for a user who has forgotten his password or triggered a lockout.

Key concepts:

• Help desk staff may be forced to authenticate callers, for example by prompting them with security questions and keying in their answers.
• Help desk staff may be empowered or required to cause new passwords to be immediately expired.
• "Behind the scenes," a help desk ticket is normally created to record the service incident.