Self Service Password Solutions

[thehorse13]

Background
================
I'm currently tasked with evaluating several self service password solutions. For those who don't know what this is, the software is in place so that users can reset/retrieve/change passwords without creating a helpdesk ticket or phone call. As an example, see the courion website: http://www.courion.com

Feedback Wanted
================
Now, I'm well aware of the security implications so please don't tell me why they are good or bad. I'm simply after input from anyone who is currently using a self service password solution. More specifically, has it reduced helpdesk calls, has the response by end users been positive, has it gotten banged up by auditors, does it integrate well with LDAP, AD, etc.. And finally, which solution are you using?

Thanks in advance.

--TH13

[morganlefay]

Not really an answer to your question...

But from my experience....users reset their password...and then forget what they set it too... far too many times

and I get the call..they have been locked out...etc...and they cant remeber what they set it to...

which in a way would then generate a help desk ticket...

But...may reduce it...eventually

cause....there cant be that many lusers out there...

can there

Really?

MLF

[dinowuff]

Well Tried Citrix password manager a while back. Helpdesk calls did not decrease, just changed.

"hello helpdesk? How do I reset my password"? And the added points of failure increased help desk actavity for the first few months.

[hogfly]

We ended up writing our own because it has to mesh with openLDAP and AD at the same time. It's written in PHP and the user must authenticate to the centralized kerberos system before being allowed in to our system. With a user base of 6,000+ users anually we have 0 helpdesk calls unless the backend has a problem.

Other solutions people are using are the Microsoft Identity Integration Server
http://www.microsoft.com/windowsserv...3/default.mspx

Sun Identity Management -can't remember the name..but it works really well from what I'm told.

[Spyrus]

We used one, forgive me for fogetting the name, but it was a mess it didn't integrate very well when you went to input your information there were no problems but when it came time to actually reset the password it would hose up and not respond or not reset the password correctly.

In relation to your Auditor question, i just asked a couple of different auditors about methodology for reseting passwords and they gave me 2 answers... First was their opinion but they couldnt use that, Passwords as we all know need to be kept secure but because of all the privacy acts and nonsense BS you are limited to what you can actually ask someone, you can't ask for SSN or Employee ID because they are either private or employee ID's are too easily taken and thats the same for addresses etc. In the end he said they couldn't look too closely at it or ding us because of those issues.

The truely only secure way to do it is to physically meet the person but that is a whole different thread.

[c2x]

While it may be more convenient for you [help desk, right?] I have found that some users will use your new system to retrieve passwords of other users in the network. If your network has more than 150 users it may be hard to catch the malicious users. Then again if you are able to find a way to catch the malicious users using some kind of backfire program/software that allows only certain passwords to be forwarded to certain computers/networks than you can root out some of your valuable information of both your employees and your company's. You should consider these factors. {note: Be careful though the REAL malicious users in your network will probably be aware of this and find away around this and will mess with your system. Very costly in both time and money.}

----------------C2X----------------------

[thehorse13]

Well, I'm not the helpdesk but the requirements state that there cannot be an increase in helpdesk tickets if we decide to go with a solution.

Here is how I see it working:

1) End user hits an SSL page and fills out his/her choice of 5 questions, omitting SS and things on the same level of sensitivity.

2) When they need their password, they revisit the site and answer three of the questions presented at random. If they fail 3 times, an auto generated message gets dispatched to the top of the help desk queue. If they enter the responses correctly, the system generates a PGP signed e-mail to them. Now, all of our end users have a single click sign/encrypt verify/decrypt button in their mail client. This is setup the first day they are on the job.

I've heard mixed reports that people have more trouble setting up their self serve page than they do remembering their passwords. Again, if anyone has specific details on this in particular, it would be most useful to me.

[Spyrus]

out of curiousity... if they forgot their password how are they going to login to get their password from their email?? Am I missing something or did you accidentally overlook that?

[thehorse13]

Login passwords are different than e-mail account passwords. The biggest issue we run into now is when people forget their PGP password but that's another issue.