The ProfileValidator assures the rapid enrollment of myPassword by checking the user's PC at logon to determine if their password reset profile has been completed. If updates are needed, the ProfileValidator can be configured to either require or suggest that the user update their profile. If users are not required to provide updates immediately, they will be reminded on each logon until complete.

The ProfileValidator is an optional feature that addresses the number one obstacle to the successful deployment of any self-service password reset solution: getting your users to enroll. When used with myPassword, the ProfileValidator will run on each user's PC at logon, and can be configured to either require the user to complete their profile before they are allowed to continue, or simply suggest that the profile be updated. In this case, the user will be reminded on each logon until the updates have been completed.

The ProfileValidator is an invaluable tool that facilitates the rapid enrollment of myPassword. And once your users can securely reset their own passwords, the relief to your help desk staff is immediate – resulting in a measurable ROI!

Using the ProfileValidator with rDirectory

When used with rDirectory, the ProfileValidator can also enforce data integrity policies for virtually any information in the user’s Active Directory profile. rDirectory’s form generators and data validators allow you to apply different data integrity policies to different users or groups using rDirectory's powerful Roles feature. Learn more!

myPassword incorporates several methods for detecting, deterring and blocking potential malicious activity. myPassword’s User Authentication system includes:

• Inactivity timeouts
• Progressive challenge/response protocols
• Customizable authentication failure policies that can be configured to trigger intrusion events.

When a potential intrusion is detected, myPassword will automatically take the necessary steps to prevent the intrusion attempt from succeeding, and immediately generate email alerts to notify appropriate security personnel of the attempted attack.

Progressive Challenge/Response

If the user has completed a password reset profile, they are required to answer each question correctly before viewing the next question. An excessive number of wrong responses will trigger an event that can block the user, account or IP address and send an email notice that a potential intrusion may be occurring.

Inactivity Timer

An inactivity timer provides additional security to myPassword. When used in a kiosk mode, the inactivity timer will assure that myPassword is returned to the opening screen when left unattended, ready for the next user. When used with the Restricted Access Account, the inactivity timer will logout the Restricted Access Account and return to the normal windows logon when the PC is left unattended.

Vouching is an optional feature in myPassword that allows a manager or other authorized individual to authenticate an account on behalf of another user who has forgotten the answers to their security questions or has yet to complete a password reset profile.

Leveraging customizable, relationship-based roles, you can set up rules where different users may be allowed different vouchers, and receive different messages to indicate who can vouch for them. Since rules can leverage customizable relationship-based roles, a voucher can also be based on relationships defined in the directory, such as Manager or another custom relationship that you create.

How Vouching Works

1. Vouching feature must be enabled and at least one voucher rule set
2. User logon attempt fails due to forgotten password or inaccurate responses to password reset profile questions
3. Authorized voucher enters their credentials
4. User can logon
5. Optionally, email notification of the vouching event can be sent to a specified address

myPassword natively supports Vista, Windows 7, Windows 8 and also includes an optional GINA extension for 32- and 64-bit Windows XP based workstations, allowing administrators to seamlessly integrate myPassword functionality into the Windows logon screen.

myPassword also features an extensive list of alternative methods to access its powerful self-service password reset capabilities, including:

Each time a password modification occurs, myPassword automatically records the change in the Windows event log. You can optionally configure myPassword to generate email notifications of the change and send the notification to the user or to their manager for additional security. A special email notification occurs when a potential intruder is detected.

The following password modifications will trigger an event:

• Password reset
• Password change
• Password reset profile change
• Password reset using vouching (optional)

The following change information is recorded:

• Who made the change
• What was changed
• When the change occured

Audit Event Log - Change



Email Notification - Change



Audit Event Log – Intrusion Detection



Email Notification – Intrusion Detection

Password Reset Profile Rules

With rule-based password reset profile generation, an administrator can ensure that highly secure or sensitive accounts are forced to adhere to a stringent password reset policy, while still allowing simpler Password Reset Profiles for those with limited access.

Password Generator

The optional myPassword generator ensures that password complexity and history requirements are met every time an account password is modified. The password generation feature uses a customizable dictionary of words that will be appended with numbers, and additional words and numbers as necessary, until the minimum password length is obtained. When used with the Force Password Change on next Logon feature, the generated password becomes a one-time-use password that can be as complex as you desire.

 

Client-Side Encryption and SSL Support

Client-side encryption, enabled by default in both myPassword and rDirectory, prevents sensitive information such as passwords and password profile responses from being sent over the wire in clear text. If even greater security is required, SSL can be enabled to encrypt the entire session.

Cross-browser support myPassword now supports any of the browsers listed below so end-users have more options for accessing myPassword’s features from any computer in the enterprise.

• Microsoft Internet Explorer 7.0 or later
• Safari 5.0.3 or later
• Mozilla Firefox 3.6.3 or later
• Chrome 8.0 or later
• Opera 10.62 or later

Integration with Namescape rDirectory

myPassword can be licensed as a stand-alone product, or in combination with Namescape’s rDirectory, to form a complete enterprise-class password and account provisioning solution that allows administrators to not only enforce password reset profile policies, but also guarantee that new passwords are issued only to authenticated users.

Language Support

myPassword now ships with German, Spanish and French already translated for you. All you need to do is change your browser setting to one of these languages. myPassword can also be customized for additional languages.

myPassword and rDirectory include a Report Console that allows you to search for specific user activity, view activity summaries, and generate and export activity reports in various formats. The report console may be accessed by granting the report access role in the Namescape Designer, and then selecting the Report Console button in the upper right corner of the rDirectory client.

SMS Verification allows you to set up a secondary authentication method for resetting passwords. When SMS is configured, a verification code will be generated and sent to the user’s configured mobile number. The user will then be prompted to enter that code into the myPassword client in order to proceed.

myPassword now supports custom landing pages in addition to the existing themes.