Welcome to Adaxes. In this video we'll be looking at one of the most common reasons for help desk calls, forgotten passwords and locked accounts. What happens when a user forgets their password? Typically they would pick up the phone and call the help desk to get it reset. The help desk would have to trust that the person calling is who they say they are.
They would also know the user's password even if only for a short period of time. and they would then have to communicate the new password to the user over the phone. In addition to the obvious security risks associated with this process, it also significantly increases the burden on the help desk staff, and potentially causes a range of audit problems and overheads. With Adaxes, we solve that by allowing users to securely reset their passwords and unlock their accounts autonomously.
Let's have a look how it works. So, now I'm in a situation where I forgot my password. And obviously, after a couple of unsuccessful attempts, my account got locked.
To reset my password, I simply need to click the Reset Password link right here on the logon screen. Then I need to enter my username, and once I've done that, I need to go through a verification process to prove that I am who I say I am. Because multi-factor authentication is enabled for my account, here I need to provide a verification code that I can get from an app on my mobile phone.
In this case it's Google Authenticator. Now I need to enter another verification code, and this time it's sent to me via SMS. In a real-life scenario you probably wouldn't enable both SMS verification and one-time passwords. Here it's done more for demonstration purposes. I've received an SMS from Adaxes, so I can go ahead and enter the code.
Now I need to provide answers to a series of security questions that I went through when I initially enrolled for password self-service reset. And once I've answered them all correctly, I can specify whether I want to just unlock my account, or do both, reset password and unlock account. Then I can simply generate a new password, and that's it. Now that I've changed my password, I can go and log in just as I normally would.
As you've probably noticed, password reset is done through a web-based interface, which means that you can make it available via the internet if you want users to be able to reset their passwords without being on your corporate network. And of course this means it can be done on any device with web access, including PCs, laptops, tablets, mobile phones and others. All the password self-service procedures in Adaxes are controlled by password self-service policies. You can assign different policies to different users. So you might have one policy for regular users, another one for managers and a strict policy for say executives or administrators.
So let's take a look at different settings you can configure with a policy. Here I've got a policy for managers. And of course the most important thing I can configure with its help is how the user's identity is verified during the password reset process.
I have different authentication mechanisms I can use, like security questions and answers. These are actually the questions that I was asked during password reset. And as you can see here, there are some mandatory questions, optional questions, and you can also add your own.
Here you can configure how many questions users need to answer. whether user-defined questions are allowed and how many, what the minimum answer length is, whether an answer can be part of a question and so on. Another authentication mechanism you can use is verification via SMS or the user's personal email. In this case, users will need to provide the verification code which Adaxes will send to them.
And the third authentication option is verification via time-based one-time passwords. When enabled, users need to provide a code which is dynamically generated on their mobile phone or tablet. Like in this case, it will be shown in the Google Authenticator app. In order for a user to be able to reset their password on their own, they need to enroll for password self-service first. This is a one-time process where they need to provide their answers to the security questions, enter their mobile phone number, and set up an application on their mobile device.
Users who haven't yet enrolled will see a balloon notification that periodically pops up in the bottom right corner of the screen, reminding them to enroll. And in addition to that, Adaxes will also send them email reminders at a specific time interval, which is defined individually for each policy. Adaxes will also send an email notification to a user every time their password is changed using the self-service procedure, so that they could take corresponding measures if they didn't do that.
Here you can define how many invalid attempts a user can make before their access to password self-service is blocked, and for how long it will remain blocked. You can also control whether account unlock is allowed, enable capture, enforce random passwords, and so on. And the way I assign policies to users is very flexible.
For example, I can apply a policy to all users who are members of the managers group, and exclude those whose job title contains the word supervisor. Adaxes also provides great monitoring capabilities for password self-service, allowing you to keep an eye on things like how the enrolment process is going, successful and failed self-password reset attempts and others. Let's take a quick look at some of them. Here I can see how many users have enrolled for password self-service and how many have not, whether an enrolment invitation has been sent to a user, which policies are assigned to which users and other information of that kind.
Here I can see how many times users have reset their password using the self-service option, which is great if I'm trying to make sure I get ROI out of this product. If a certain policy results in many failed password reset attempts, you'll see it here, and maybe you'll need to think about making that policy less strict. And here I can see the users that are currently blocked because of too many failed attempts, and the host from which those attempts were made. By default, Adaxes will automatically unblock these users after a certain time. so you don't need to intervene at all.
But if you choose to disable that option, this is the place where you can do it manually. To give users the ability to reset their passwords straight from the Windows logon screen, you need to install a tiny piece of software called the DAX's self-service client and their machines. In the application's installation guide, you'll find step-by-step instructions on how to do that in bulk using group policies.
Also, here you can enable or disable the feature in a centralized manner for all computers at once. change the texts, configure options for the enrolment notification that pops up in the system notification area. And also, this is the place where you can enable two amazing features, off-site password reset and offline password reset.
Let's take a look at these two options in more detail. What happens if somebody takes their laptop home and forgets their password? Even if they call the help desk to have their password reset in Active Directory, they won't be able to use the new password, as their laptop will still be asking for the old one. Without a connection to a domain controller, there's no way the laptop can get the new password from AD.
We have a solution for that in Adaxes. It's called Offsite Password Reset. With this feature in place, users can go through the same self-password reset procedure as if they were inside the corporate network.
After that, Adaxes will reset the user's password, both in Active Directory and locally on the laptop. The latter will allow users to log into their laptop with the new password. And it doesn't require VPN or anything like that. But what if a user is in a location where they don't have internet access from their laptop? Let's say they're in a hotel and they can't connect their laptop to the hotel's Wi-Fi.
Here Adaxes comes to the rescue as well. It allows users to reset their password on their offline computers using a cell phone or a tablet or any device with internet access. Let's see how it works. So, now my computer is offline and I've forgotten my password.
When I click on the reset password link, it understands that I don't have internet access. and offers me the option to reset my password on a device that is connected to the internet. I can either follow these steps or I can just scan the QR code using my phone and it will take me to the password reset screen. Here I need to undergo the same verification procedures that include one-time passwords, SMS verification and security questions and answers.
And now I can create a new password. Now my password has been reset in Active Directory and it's given me the response key that I need to enter on my laptop to reset the password there. And here we go. Now I can use the new password to log into the system, even though this computer is not online at this time.
With Adaxes, instead of calling the help desk and going through a long, frustrating password reset procedure on the phone, which can be unreliable and prone to mistakes and exploits, users can reset their own passwords by themselves, without any intervention from the IT staff whatsoever. The off-site and off-line options let you take password self-service a step further and extend it beyond your company's premises and network. So, wherever users take their laptops, with Adaxes you can be sure that forgotten passwords won't be an insurmountable problem anymore.
Thanks for watching.