Password Management Features
P-Synch offers a total solution for enterprise password management, including the following features:
- Transparent password synchronization
(2)When users change their Windows NT, Active Directory (32-bit, 64-bit), Sun LDAP, IBM LDAP, Oracle Internet Directory, Unix (various), OS/390 and OS/400 password, the new password is subjected to a global password policy in addition to the native policy. If the password is acceptable, the new password is changed both on the initial system and, automatically, on every other system where the user has a login ID.
Use of an existing, familiar user interface to change passwords eliminates the need for training and guarantees high (100%) adoption rates.
- Web-based password synchronization
(3)Users can synchronize some or all of their passwords by using a P-Synch web interface to make routine password changes. The password policy is clearly stated on the screen and enforced immediately. Each system where the user has a login ID is represented by a name and a check box.
- Self-service password reset
(4)Users who have forgotten a password or triggered an intruder lockout can sign into P-Synch with another form of authentication to perform self-service password reset. Supported authentication factors include answering personal questions in the form of Q-A (Question-and-Answer), using a hardware token (e.g., SecurID, SafeWord), using a biometric sample and smart cards.
Automated password reset allows locked out users to reset their own passwords, effectively addressing the problem of forgotten passwords. P-Synch creates a secure and efficient process for users to reset their passwords, thus minimizing the help desk call volume and time spent with the help desk resetting the passwords.
Once authenticated, users can reset their own passwords without calling the help desk. Tickets can be automatically created on a call tracking system.
Self-service password reset is available from:
- A web browser
from either the user's own computer or that of a neighbor
- The login prompt
of the user's own workstation
This is possible with a domain-level SKA (secure kiosk account) that does not require a client software installation, a local SKA (secure kiosk account), or a GINA (Graphical Identification and Authentication library) DLL inserted ahead of the existing network client GINA (Graphical Identification and Authentication library) on user workstations.
- A telephone
from which the user dials the help desk
ACD (automatic call distribution),
and is directed to an
IVR (interactive voice response) system that provides a password
reset service
A P-Synch API (application programming interface) allows existing IVR (interactive voice response) systems to be extended to provide password resets. ID-Telephony®, a turn-key IVR (interactive voice response) system, is also available, using either numeric Q-A (Question-and-Answer) or biometric voice print verification for caller authentication.
- A web browser
from either the user's own computer or that of a neighbor
- Assisted password reset
(5)Authorized support analysts can sign into a P-Synch web user interface, look up a caller's profile, authenticate the caller by keying in answers to personal questions and reset one or more passwords. A closed ticket can be automatically written to the call tracking system.
Support staff do not require any privileges to systems on which P-Synch allows them to reset passwords.
- Clear intruder lockout
(6)Users who have triggered an intruder lockout can sign into P-Synch with another authentication factor, such as a hardware token or by answering personal questions, and can then clear the intruder lockout on their own account.
It should be noted that _PRODUCT differentiates between different types of "locks," and P-Synch only allows users to clear intruder lockouts:
- Intruder lockouts: are triggered by repeated attempts
to sign into a given login account with an incorrect password.
They often have a timeout (i.e., automatically cleared after
a set interval).
- Administratively disabled: the login ID was explicitly
disabled by a security administrator. P-Synch does not
remove such locks.
- Password expired: the user may sign in, but can only
access the password change function of the system or application.
P-Synch may set this flag after an assisted password reset (i.e.,
to force the user to change a temporary password). P-Synch
normally clears this flag after self-service password changes.
- Account expired: the account is in a state equivalent to setting the "administratively disabled" flag, but as a result of the active time period for the account expiring, rather than due to recent administrator intervention.
It should also be noted that not all target system types support all of the above mechanisms, and some target types actually entangle them. For example, "administratively disabled" and "intruder lockout" are represented by the same flag on most mainframe systems.
In cases where the states are entangled on a target system, P-Synch will either not allow users to clear the flag or, where possible, expose a plug-in point where customers can insert business logic to differentiate between different meanings of the same flag.
- Intruder lockouts: are triggered by repeated attempts
to sign into a given login account with an incorrect password.
They often have a timeout (i.e., automatically cleared after
a set interval).
- RSA SecurID Token management
(7)Users with RSA SecurID tokens can use P-Synch for PIN reset or to clear forgotten PINs, to resynchronize their token clock with the RSA Authentication Manager, to enable or disable their token, and to get emergency access pass-codes.
- Password policy enforcement
(8)P-Synch normally enforces a uniform, global policy in addition to the various password policies enforced natively on each managed system. This policy applies to all password changes, including those triggered on other systems.
The built-in password policy engine includes over 50 standard rules, plus a regular expression engine and plug-in system, allowing organizations to define new rules. Open-ended password history and dictionary checks are included.
- Password change notification / early warning
P-Synch automatically reminds users to change their passwords regularly. This facility pre-empts native password expiration on managed systems and encourages users to synchronize their passwords with a friendly, web-based user interface.
Users are prompted to change passwords either by receiving e-mail, with an embedded URL to the P-Synch server or by responding to a web browser window that is opened during their network login script.