You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Password Management Overview
EmpowerID provides an easy-to-use password management solution that allows end-users to securely reset forgotten passwords and unlock their user accounts.
Key areas of the functionality provided by the Password Management solution include:
Password Encryption
While EmpowerID's portal can be configured to authenticate users via federation, by default EmpowerID uses itself as an Identity Provider and authenticates users accessing the application via standard username and password submission. User-provided passwords are stored as non-reversible SHA-512 hashes, computed with a unique salt (unique per user and not accessible outside the system). These safeguards make it virtually impossible to reverse-discover a user's password, even if the stored hash is inadvertently exposed. During authentication, the hash is computed with the user-supplied value (and system-supplied salt) and compared to what's stored; the user's password is considered valid if the hashes match. Safeguards are put in place to prevent brute-force attacks that attempt to guess a user's password.
EmpowerID strongly recommends you add extra security to your portal by supplementing the default out-of-the-box username and password authentication with MFA and/or Passwordless login.
Web and Mobile Self-Service Reset
The cost of a single password reset in a medium-sized organization is estimated to be $20. By automating portions of the reset process, this figure can be reduced to as little as $3 accompanied by a 30% reduction in help desk calls. EmpowerID allows end-users to perform a self-service reset using an anonymous web-based workflow process. The reset can be performed from their desktop or mobile device at any time of the day or night, without requiring helpdesk assistance. EmpowerID’s wide range of flexible options for verifying end-user identity makes the process easy to use and very secure.
Adaptive Multi-Factor Identity Verification
Verification of the user’s identity during the password reset process is an important step for preventing security breaches and intrusions. Passwords continue to be the weakest link and they are most vulnerable during the password reset process. Outdated methods which ask users to answer simple questions have proven inadequate and insecure. Multi-Factor Authentication is the only proven means to plug this gap. EmpowerID’s adaptive MFA offers a wide range of secure but easy-to-use options for validating a user’s identity including one-time passwords, FIDO/YubiKey tokens, 3rd parties such as DUO, as well as the EmpowerID Mobile phone app for push to approve identity verification.
Multiple Password Policies
An organization’s security requirements often differ for internal versus external users as well as for privileged IT administrators. EmpowerID allows an unlimited number of flexible policies to control security and determine password strength and change frequency, as well as the stringency of the process to reset a forgotten password. Flexible password policies assigned by role or attribute define not only password complexity requirements but also settings controlling the user’s authentication experience as well as the coarse-grained controls for multi-factor authentication. Admins can report and track user adoption as well as implement policies to force users to enroll for password reset during the login process.
Assisted Helpdesk Password Reset
The goal of a password management tool is to eliminate costly helpdesk calls. Unfortunately, this is not always possible, so a secure method to allow helpdesk staff to assist with the process is needed. EmpowerID includes friendly workflows to allow helpdesk staff to accurately verify the caller’s identity before performing an assisted password reset. All actions are logged and end-users are notified via email that their password has been changed, so that they may verify the validity of the change.
Windows Desktop Login Client
Performing a password reset can pose a problem for corporate users if they become locked out of their PCs. To solve this challenge, EmpowerID offers a friendly password reset client which appears as an additional login option. The password reset client allows users to walk through a simple process and reset a forgotten password. They can even unlock their locked-out account, even though they cannot login to their PC. This process allows them to quickly regain access to their workstations without having to wait for assistance from helpdesk staff, saving time, money, and frustration.
Password Expiration Notifications
Often users are unaware that their password is nearing expiration until it has expired. This is especially true for partners and other types of external identities. To keep users informed in advance of a password or account expiration, EmpowerID includes workflows processes that continually monitor for impending password expirations. Workflows alert the users in advance so they can update their passwords before they expire.
Active Directory Password Change Detection
One challenge faced by password management solutions is losing track of password changes that are made through the native Microsoft interfaces. These include password resets by admins or even when users change their password at the CTRL-ALT-DEL screen in Windows. EmpowerID captures even these password changes using a change detection agent that runs on your Active Directory Domain Controllers. The agent captures password changes and sends them to EmpowerID to sync the password change to all other systems in the user’s password sync list.