Traveling users typically log into their PCs using cached Active Directory passwords. If they forget the cached password, technical support may be expensive, insecure or simply impossible:
- Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offer an alternative, local user ID.
- Costly: the user must physically bring (or mail) the laptop to a corporate location, the PC can re-authenticate to the AD domain and cache the user’s freshly reset passcode.
- Unsafe: alternatively, the help desk can give the traveling user the login ID and passcode of an alternate login ID, which is defined on the user’s PC (not a domain account), whose safety will henceforth be compromised.
While the frequency of password reset incidents for traveling users is typically low, the cost per incident is much higher than for network-attached users.
The Xpress Password Solution
The ILANTUS Login Assistant Credential Provider (CP/GINA agent) is available to assist mobile, off-site users who have forgotten the password they use to sign into their own PC. This client establishes a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Xpress Password with something other than their domain or VPN password. Once authenticated, the user can reset their password(s) both on network services and locally on their PC. Xpress Password CP/GINA agent installed on a user’s Windows laptop enables password reset while away from the office, as follows:
- The user’s PC is not physically attached to any network — the user may be at an airport, coffee shop, etc.
- The user is faced with a login screen to which he does not know the password.
- The user’s (forgotten) AD password is cached on the PC, to allow logins while away from the corporate network.
- If the CP/GINA agent is deployed, the user clicks on the link on the Windows login screen with a label such as “Forgot my password/Unlock account.”
- The CP/GINA agent service is started and detects (a) that there is no physical network connection but also (b) the PC has a wireless network adapter.
- The CP/GINA agent scans for available WiFi hot-spots and prompts the user to select one. They are ordered by signal strength, so the user normally chooses the first one (nearest AP; often public).
- The user’s web browser is launched and the user may have to accept terms of service or make a payment to the local Internet provider.
- Xpress Password will launch a kiosk-mode web browser to the password reset web portal. Since the browser is in kiosk mode, the user cannot navigate to any other URL.
- The user will perform a password reset in this web browser session. This will include self-identification, some form of non-password authentication (e.g., CAPTCHA + security questions + mobile phone SMS PIN+ soft token) and selection of a new password.
- Xpress Password will use an ActiveX to re-authenticate the user’s PC to the domain, over the VPN. This has the desirable side-effect of updating the cached password on the user’s PC.
- The user closes the kiosk-mode web browser. This also disconnects the VPN and terminates the WiFi session.
- The user is able to sign into his PC with his new password, which has been applied both at work and to the local cache.
Please note that the WiFi elements in the above sequence are optional. The user may be at work, or at home with a wired Internet connection, or using a mobile phone hotspot, or in a hotel with a wired connection. All of these alternatives also work essentially as described above.