Many times companies use an initial password that is partially or completely static (Summer2017?), or sometimes they use a formula which includes partial data of the user such as the month of birth + the three final digits of their Social Security, etc. We’ve all seen it…Additionally, the medium by which this initial password is delivered to the user may include sending it to their personal email or worse, printing it on a piece of paper that passes by several hands before making its way to the end user.
This POC aims to eliminate static passwords and improve the initial validation process, replacing the password with a OTP/TOTP. On this occasion we will use Active Roles to streamline the creation of a user account through a web interface, delegated to the help desk or to human resources. The tool helps us to validate and standardize the entered values, among which we will appoint the phone number as required. Once the user account is created, taking advantage Password Manager integration with the Windows login screen (GINA, SPE), the user will validate by SMS or voice call. Keep in mind that we also have the option to validate with Defender (our token/TOTP). This way the user will have Access to the workstation, email, SharePoint site, O365, databases and any other resource automatically provisioned, without the need to call the Helpdesk nor having that initial password delivered in any way. Are you visualizing the time and money savings already?
Figure 1: Provisioning policy in Active Roles.
In order to avoid sending the user that initial password we will use Password Manager, particularly its GINA/SPE integration and phone validation.
Figure 6: We drag ‘n drop Authentication via phone to the workflow. As you can see on the left, Authentication with Defender (RADIUS TOTP) is also available.
Figure 7: Configure all available options.
Figure 8: The user is in front of his workstation for the first time. No need to call the helpdesk, using One Identity Secure Password Extension.
This use case involved using two One Identity tools that allowed us to solve the initial password dilemma with a unique, random and automatically generated initial password. Furthermore this password is not used as the user validates with an OTP the first time, enrolling in Password Manager in the same step. Not a complex solution whatsoever which offers a quick ROI and adds better security to the operation.
Some skeptics say that better business through better security is a fallacy… but it can be done!
Hope it helps!