Which authentication method is available when you require two password reset methods only?
Enabling dual identification before allowing a password reset in your Azure Active Directory account enhances access security by ensuring that the user identity is confirmed by two separate forms of identification such as email and SMS. When the number of methods required to reset a user password is set to 2 (two), an attacker would need to compromise both the identity forms configured, before he or she could maliciously reset an Azure AD user password.
01 Sign in to Azure Management Console. 02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview. 03 In the navigation panel, select Users. 04 Under All users, select Password reset to access the password reset configuration settings available for Active Directory users. 05 In the navigation panel, select Authentication methods. 06 On the Authentication methods settings page, check the Number of methods required to reset configuration value. If this value is not set to 2, the number of methods required for user password reset is not compliant, therefore dual identification for password reset is not enabled for your Microsoft Azure Active Directory users. 07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine. 01 Sign in to Azure Management Console. 02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview. 03 In the navigation panel, select Users. 04 Under All users, select Password reset to access the password reset configuration settings available for Active Directory users. 05 In the blade navigation panel, select Authentication methods. 06 On the Authentication methods configuration page, select 2 for Number of methods required to reset setting, to enable users to choose at least two methods of identification required for password reset. 07 For Methods available to users, select at least two identification methods (e.g. Email and Mobile phone (SMS only)) as alternate methods of user identification necessary during password reset. 08 Click Save to apply the configuration changes. If successful, the following confirmation message should be displayed: "Password reset policy saved. Changes to password reset policy were saved successfully". 09 Repeat steps no. 3 – 8 for each Microsoft Azure Active Directory that you want to reconfigure in order to enable dual identification for user password reset.
Publication date Aug 30, 2019
Unlock the Remediation Steps Free 30-day Trial Automatically audit your configurations with Conformity No thanks, back to article You are auditing: Enable Dual Identification for Password Reset Risk level: Medium
With the evolution of technology the increase in identity theft and data breaches, the cost of the service desk is going up and the demands on CISO is ever growing. Self-service password reset solutions have evolved over the years to help the service desk and ultimately the business in security and productivity. This article takes a comprehensive look at self-service password reset applications, what they are, how they work and how they can benefit a business. Active Directory Self-service password reset is the process of and the technology that enables a user who has either forgotten their password or locked out of their account, to securely authenticate with an alternative factor and resolve their own issue by resetting their password or unlocking their account without relying on the service desk. Since Microsoft Active Directory has cornered the market when it comes to user directories self-service password reset solutions user directory interaction is with Active Directory as standard, enabling employees the opportunity to manage passwords on this system. The primary process is a user launches the self-service password reset portal from a web-browser or workstation login prompt. They then need to establish their identity by some other factor to their forgotten or disabled password, such as a series of challenge-response questions. Finally, if all goes well, they can set a new password, unlock their account or anything else the portal allows such as updating their Active Directory user-specific details.
Benefits of Password Self-ServicePassword self-service offer many benefits to business and end-users; these can be categorised as financial benefits, productivity benefits and security benefits. Financial BenefitsWidmeyer survey reported on average an employee loses $420 per year grappling with passwords, with 37% of the 1000 people surveyed resetting their password more than 50 times per year, the losses in productivity alone can be staggering. The recent survey by Ponemon Institute which interviewed over 15000 IT professionals report a loss of $450 million on average per company due to manual password management tasks. When you factor in the cost of the support staff and service desk staff required, the savings from eliminating passwords alone may begin to more rapidly justify a transition. Productivity BenefitsProductivity benefits centre around speed and efficiency, rather than an employee who is locked out of their system waiting for an agent to unlock or reset their account, users are empowered to use self-service, allowing them to manage their passwords/ account with immediate results and confirmation of success. In fact, self-service password reset is often a company’s first venture into business automation. Unlike traditional methods password self-service eliminates the need for a helpdesk ticket or a phone call to the service desk and reduces the wait time to a mere few clicks of a button for the end user – introducing them to an automated and instantaneous password self-service function. Self-service password reset eliminates the need to talk to a service provider and users have access to it regardless of the time of day, password self-service is typically available 24/7 via desktop or mobile devices; self-service password reset expedites problem resolution for users and thus reduces service desk call volume. Security BenefitsAdditionally, self-service password reset tools offer ways for users to keep their information secure with multi-factor authentication, security questions, confirmation emails these all help users feel both in control and secure. Multi-factor authentication also adds a form of identity verification which is not available with a standalone password. Using factors as a mobile or hardware token before a user can access a password self-service portal multi-factor authentication verifies that the user is the actual owner of the password something which cannot be done with passwords alone or other authentication methods. Self-service password reset ensures that password problems are only resolved after adequate user authentication, eliminating an important weakness of many service desks and reducing the chances of social engineering attacks and identity theft. Password Reset SynchronizationMost self-service password reset solutions offer password synchronization enabling users to manage passwords, subject to a single security policy, across multiple systems. It is an effective method of addressing password management issues as it means users need to remember fewer passwords and can keep other systems like Google, Azure AD, Linux, LDAP secure by having passwords on these systems updated regularly. Password synchronization also reduces the number of password-related requests for help, which is the single biggest demand for service desk resources. Password synchronisation can happen either transparently where native password changes that already take place on Active Directory are automatically propagated to other connected user directories like Azure AD, Google, OpenLDAP or, manually where the user selective chooses which passwords to reset or change. With the introduction of Azure AD, Microsoft’s simplified cloud version of Active Directory, companies rely on an external product called AD Connect which allows any password changes performed on an on-premise local Active Directory to be synchronised to Azure AD after a password self-service reset occurs. With self-service password reset solutions like LogonBox this process is sped up and extended. Password synchronisation between a core on-premise AD is synchronised to Azure AD as the password is reset or changed by the user, without any additional components like AD Azure Connect. It also allows passwords to be synchronised to more than just Azure AD since it supports many other systems/ user directories. How Does Self-Service Password Reset WorkWhen a user accesses the self-service password reset portal a workflow is initiated:
Verify UserThe first thing that is triggered is the verification, the end-user is asked to key in their username of the primary system, typically Active Directory, and associated with the password that is being reset. Authenticate UserIf successful, the next stage is that the user needs to authenticate to prove they are the owner of the account and thus the password in question. This requires an authentication flow to be preconfigured which can consist of a multi-step authentication flow or a more secure multi-factor authentication process or a mixture. Some solutions offer selectable authentication flows to choose from, others offer a single authentication flow. Reset PasswordIf authentication is successful the user can now enter a new password against the security policy. This can either be the root password policy of Active Directory or if the self-service password reset solution supports it, fine-grained password policy. In some solutions, the Active Directory password policy can be overridden to offer more stringent/ configurable password policies. These are applied locally to the password self-service application rather than natively to Active Directory as a whole. If successful and password synchronisation is enabled the new password is propagated to all linked systems. Change NotificationOnce the entire password self-service process has completed the final step is the end-user is notified of the change, this can be seen as a crucial final security measure in the process. If the changes were done by a scrupulous hacker the user can inform an administrator. SSPR Portal RegistrationBefore a user can self-service password reset they must have data present in the authentication methods that have been enabled. This is vital for any self-service product to operate, it is the only way it can verify that the user requesting a password reset or account unlock is the right user. Any answer provided is compared against the stored set of data against the user’s profile, in the case of something like multi-factor authentication, the self-service product will have the end-users hardware device data stored so will send a one-time token to this registered device. Password Change NotificationNotifications can also be extended to actually provide an alert informing each user when their password is near expiration allowing an end-user to self-service change password rather than password reset, this adds a level of security by encouraging users to frequently change password across their main and/or linked accounts as well. SSPR InterfacesThere are a number of ways the password self-service process can be launched from a web browser, mobile or workstation login prompt. SSPR Web BrowserDomain users can self-service password reset their Active Directory securely from a web-browser, whether this is their own desktop computer or using a single kiosk computer. The convenience is that a web-browser can be accessed from anywhere the downside is that this might not suit all scenarios. SSPR Workstation Login PromptTo increase flexibility self-service password reset software can password self-service from a workstations login prompt (Windows and Mac are the ones most commonly supported) before a user has logged in. This does require a component that integrates with the workstation operating system, for Windows OS it interfaces with the credentials provider chain allowing for a self-service password reset and a self-service account unlock options to be shown at the login prompt. For OSX the plugin needs to integrate with the OSX login chain to add the self-service options. SSPR Mobile AppIt is not uncommon to have employees working away from the office and in cases where they become locked out of their workstation, they need a way of resetting their password or unlocking their account without being at their workstation; a mobile app provides this convenience. Through an Android or iPhone app the user is able to manage their password and account without needing to call the service desk and not physically being at the office.
Self-Service Password Reset FeaturesThe operational costs of maintaining passwords, including service desk expenses for those who forget passwords, and productivity losses because of too-many-attempts lockouts and other issues are rising. Self-service password reset helps enforce strong credential policies so you can reduce potential breaches as a result of poor password practices while at the same time increasing productivity and minimising service desk load. Typically self-service password resets achieve these benefits through a collection of features.
If you are looking for greater security, greater productivity then self-service password reset tools can offer more, here are some LogonBox specific features, a more comprehensive list can be found here.
DeploymentThere are a number of ways software can be deployed from on-premise o cloud and self-service password reset can benefit from each of these.
On-premise DeploymentThis refers to the onsite server where the customer is expected to install the product. The benefit is the customer is in full control and ownership from infrastructure, resources and software. Since self-service password reset is a web application it needs to run in a webserver. Some installations use Microsoft IIS whereas others install their own web-server during installation. LogonBox is unique in this aspect as its on-premise deployment runs as a virtual machine. What this means is all components are stored in a virtual image and extracted into the virtual server (such as ESXi, Hyper-V) at time of execution so there are no pre-requisites. On-premise installations gain from whatever the underlying system offers, in the case of LogonBox the product benefits from the rollback and resource management offered by the underlying hypervisor. Cloud Deploymentcloud computing allows people access to the same kinds of applications through the internet, the adoption rate of cloud-based or Software as a Service (SaaS) applications has increased dramatically. A survey by Goldman Sachs highlighted 70% of SMBs always consider a SaaS option and 58% prefer a SaaS option, if available. Cloud deployments like LogonBox cloud use a secure SSH agent to communicate with the on-premise Active Directory, beyond that everything is done in the cloud. Self-service password reset in the cloud saves the need for installation, it reduces the time to go-live and relieves any maintenance and management of hardware and software, for MSPs focused on the sale, this can be a real benefit. SummarySelf-service password reset offers a wealth of benefits to the end-user to the service desk and to the companies bottom-line. When used appropriately can offer better security protection than dated manual processes. Password self-service applications have moved on leaps and bounds offering more features than ever before crossing into identity management, single sign-on, password management, documentation management to offer even greater benefits and efficiencies. Not Already a LogonBox Customer?Interested in LogonBox after this introduction to self-service password reset? Try LogonBox and get started for free, LogonBox on-premise foundation is free for an unlimited number of users forever, with an affordable pricing model that scales as you do. You can learn more about LogonBox by checking out our website, blog, or simply by contacting us. What are the authentication methods supported for selfThe following authentication methods are available for SSPR:. Mobile app notification.. Mobile app code.. Email.. Mobile phone.. Office phone (available only for tenants with paid subscriptions). Security questions.. What is Azure selfAzure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If Azure AD locks a user's account or they forget their password, they can follow prompts to unblock themselves and get back to work.
Which three authentication methods can be used by Azure multiAvailable verification methods
The following additional forms of verification can be used with Azure AD Multi-Factor Authentication: Microsoft Authenticator app. Windows Hello for Business. FIDO2 security key.
What authentication and verification methods are available in Azure Active Directory?How each authentication method works. |