Login Assistance Workflow

Owned by Phillip Hanegan
Last updated: Nov 22, 2024
10 min read

The Login Assistance Workflow in EmpowerID is designed to help users resolve login issues. It provides step-by-step instructions for problems related to password recovery, account lockouts, and difficulties with Multi-Factor Authentication (MFA) on Azure and EmpowerID platforms.

Capabilities of the Login Assistance Workflow

The Login Assistance Workflow helps users achieve the following:

  • Reset Passwords: Reset passwords and unlock locked accounts for both EmpowerID and Azure logins.

  • Send Azure Temporary Access Pass (TAP): Provide temporary access to Azure accounts.

  • Reset Azure MFA: Unblock or unenroll users from Azure Multi-Factor Authentication.

  • Reset EmpowerID MFA: Unblock or unenroll users from EmpowerID Multi-Factor Authentication and delete all MFA assets and preferences.

Authentication Methods

The process employs both automated and manual methods to authenticate user identity:

  • Automated Methods: For users enrolled in MFA, the system utilizes MFA to assist in resolving login issues. If a user is not enrolled in MFA but can access a personal email or mobile phone, the system attempts to send a One-Time Password (OTP) to resolve the issue.

  • Manual Methods: If the OTP is not received or the user does not have a suitable contact method, a business request or task is initiated as a fallback option. This requires an approval process where a designated individual vouches for the user's identity to resolve the login issue.

Configuring the Login Assistance Workflow

Step 1: Configure Workflow Parameters

The Login Assistance Self Service Wizard workflow provides extensive customization options, enabling administrators to modify the displayed fields for users utilizing the workflow. These customizable parameters allow you to adapt the workflow according to your organization's specific requirements and preferences.

List of Parameters

Name

Description

Name

Description

AzureADSCIMConnectorAssembly

Specifies the assembly information for the Azure AD SCIM connector.
Default: SCIMAzureConnector,Version=4.0.180.1,Culture=neutral,PublicKeyToken=2d2253f74d4496ef

AzureADSCIMConnectorType

Defines the type of Azure AD SCIM connector.

CallBackURLDomain

Specifies the domain for the callback URL (e.g., https://api.empoweriam.com).

DateTimeFormatForEmail

Specifies the date and time format used for TAP expiration dates in emails (e.g., dddd, dd MMMM yyyy HH:mm:ss).

DefaultAccountStoreFQNForPersonLookup

Specifies the default account store fully qualified name (FQN) used for person lookup (e.g., https://linux-scim-aad.azurewebsites.net).

EmailMessageNameForTAP

Specifies the email message template name used for TAP emails. The default template is LoginAssistanceAzureTAPEmail.

IsAzureFirstTimeLoginIssueEnabled

Determines whether to show or hide Azure first-time login as a problem. If set to true, users will see the option "Need help logging into Azure for the first time (TAP)" to help them resolve issues logging in for the first time with an Azure account.

IsCreateCollaborationTask

Determines whether to generate an old-style workflow task instead of a business request.

IsMFAIssueEnabled

Decides whether the MFA issue should be displayed. Enabling it will prompt the user to select the option "I recall my password, but I am unable to perform multi-factor authentication" in the wizard.

IsPasswordIssueEnabled

Determines whether to display the password issue option. If enabled, the user will be able to access the "I'm unable to remember my password or I've gotten locked out" option, which can assist them in resolving login issues caused by a forgotten password.

IsTestMode

When enabled, the wizard relaxes certain restrictions, such as the "hasAccess" check.

IsUnknownIssueEnabled

Determines whether to show or hide the unknown issue problem option in the wizard. If enabled, the wizard will show "I'm not sure what the problem is but I can't log in" option.

OAuthConsumerID

Specifies the OAuth consumer ID used for Twilio/Sendgrid.

OTPValidityDurationInMinutes

Specifies the validity duration of the OTP in minutes.

SendPasswordToEmail

Determines whether the system will send the OTP to the email linked to the account when assisting with logging in through email and phone.

SendPasswordToMobile

Determines whether the system will send the OTP to the mobile phone linked to the account when assisting with logging in through email and phone.

SendPasswordToPersonalEmail

Determines whether the system will send the OTP to the personal email provided by the user when assisting with logging in through email and phone.

SendPasswordToTwilioSMS

Determines whether to send the password via Twilio SMS.

SendPasswordToTwilioVoiceCall

Determines whether to send the password via Twilio Voice Call.

SendTAPForAzureMFAIssue

If set to true, a TAP will be sent instead of an MFA reset for Azure MFA issues.

SkipEmpowerIDMFA

Specifies whether to skip EmpowerID MFA.

SMSOTPKeyEntryName

Specifies the SMS message template for OTP delivery. The default template is PasswordResetCenterOTPSMSMessage.

TwilioOTPVoiceMessageTemplateName

Specifies the Twilio voice call OTP delivery template.

WhichLoginIdP

Allows you to specify a specific Identity Provider (IdP) and hide the UI option to select. If the value is set to "all," the UI option to select an IdP is not hidden, and users can choose from all available IdPs during the assistance. To hide the UI option and enforce a specific IdP, replace the value "all" with the desired IdP identifier or name.


To Configure Workflow Parameters

  1. On the navbar, expand Low Code/No Code Workflow and select Low Code Workflows.

  2. Select the Workflow tab and search for Login Assistance Self Service Wizard

  3. Click the Display Name for the workflow to navigate to its View One page.

    image-20241122-210208.png

     

  4. Expand the Request Workflow Parameters accordion on the View One page for the workflow and search for the parameter you need to configure. In this example, we set the IsUnknownIssueEnabled parameter to false, which means the wizard will not show the "I'm not sure what the problem is, but I can't log in" option.

  5. Click the Edit button for the parameter, enter false in the Value field for IsUnknownIssueEnabled, and click Save.

     

  6. Repeat the above steps to adjust any parameter values as needed.

Step 2: Review the Business Request Approval Policy

If the automated validation of a user's request is unsuccessful, the system proceeds with manual approval to establish a business request. This step involves human verification that can be customized to fulfill particular needs. The following steps guide you on viewing and modifying the policies that regulate the manual identity verification process.

  1. On the navbar, expand Low Code/ No Code Workflow and click No Code Flows.

  2. Click the Business Request Type tab and search for the Login Assistance Voucher. Click on the edit icon to activate the edit mode of the business request type.

     

  3. While in the edit mode, you'll observe that the approval policy is configured to the Login Assistance Voucher Approval Policy. This is the standard policy used for handling business requests that require manual identity verification.

     

  4. Click on the Login Assistance Voucher Approval Policy link to navigate to the details page for the approval policy. Scroll to find the Approval Steps in Policy accordion to view the specific steps configured for the policy.

     

Using the Login Assistance Workflow

  1. To receive help logging in to EmpowerID, click on the Login Assistance Workflow on the login screen.

     

  2. Enter either your EmpowerID login name or the email associated with your account.

     

  3. Select Your Identity Provider (IdP): Based on your authentication method, choose between Microsoft Azure or EmpowerID.

Login Assistance Options for EmpowerID

Option 1: I’m Unable to Remember My Password or I’ve Gotten Locked Out

This option allows users who cannot remember their password or have been locked out of their account to regain access.

  1. The system identifies all registered MFA methods and prompts you to select one.

  2. The wizard guides you through the recovery process using the Login Assistance with MFA flow.

  3. If the account does not have MFA registration:

    • The system locates the email and phone numbers registered for the user.

    • Attempts to send a One-Time Password (OTP) to either of them.

    • The wizard enters the Login Assistance with Email/Phone flow and guides you through recovery.

  4. If you cannot receive an email or a voice call for the OTP:

    • You can create a manual request to have someone vouch for you.

    • The wizard guides you through the recovery process using the Login Assistance by Requesting Identity Validation flow.

Option 2: I Remember My Password, but I Can't Perform Multi-Factor Authentication

This option is useful for users who remember their password but face obstacles with MFA, such as losing their phone or acquiring a new one.

  1. The system locates the email and phone numbers registered for the user.

  2. Attempts to send a One-Time Password (OTP) to either of them.

  3. You can reset the multi-factor authentication registered for your account.

  4. Follow the instructions in Login Assistance by Resetting MFA to troubleshoot your login issue.

Option 3: I'm Not Sure What the Problem Is, but I Can't Log In

If you are facing login difficulties without a clear understanding of the underlying issue, selecting this option will provide helpful troubleshooting steps and guidance.

  • The wizard enters the Login Assistance by Requesting Identity Validation flow for login recovery.

Login Assistance Options for Microsoft Azure

Option 1: I'm Unable to Remember My Password or I've Gotten Locked Out

This option allows Azure users who cannot remember their password or have been locked out of their account to regain access.

  1. Like EmpowerID, the system identifies all registered MFA methods and prompts you to select one.

  2. The wizard guides you through the recovery process using the Login Assistance with MFA flow.

  3. If the account does not have MFA registration:

    • The system locates the email and phone numbers registered for the user.

    • Attempts to send an OTP to either of them.

    • The wizard enters the Login Assistance with Email/Phone flow.

  4. If you cannot receive the OTP:

    • You can create a manual request for identity validation.

    • The wizard guides you through the Login Assistance by Requesting Identity Validation flow.

Option 2: I Remember My Password, but I Can't Perform Multi-Factor Authentication

This option assists Azure users who remember their password but cannot complete MFA.

  1. The system sends an OTP to your registered email or phone.

  2. You can reset your MFA settings after verifying the OTP.

  3. Follow the instructions in Login Assistance by Resetting MFA.

Option 3: I'm Not Sure What the Problem Is, but I Can't Log In

Select this option if you're unsure about the login issue.

  • The wizard initiates the Login Assistance by Requesting Identity Validation flow.

Login Assistance Flows

Login Assistance with MFA (h4)

If the administrator has established a password policy with more than 2 Level of Assurance (LOA) points, you might have to go through multiple rounds of MFA.

  1. The system identifies all registered MFA methods and prompts you to choose your preferred method.

    Note: Your available MFA options may vary, as the wizard will load the MFA methods configured for your account.

  2. After choosing your preferred MFA method, the wizard walks you through the necessary steps.

    • For example, if you select the EmpowerID Mobile Authenticator, you will be prompted to approve a push notification or enter the authentication code.

       

  3. Upon successful MFA, you are directed to the Change Password page to reset your password.

  4. After you reset your password, the wizard provides a list of all the accounts for which it has been changed.

Login Assistance with Email / Phone

To receive assistance via email or phone:

  1. The system locates your account's email and phone numbers and attempts to send a One-Time Password (OTP).

     

  2. If you received the OTP, select Yes and enter the passcode.

     

  3. Upon successful OTP verification, you are directed to the Change Password page to reset your password.

  4. The wizard lists all the accounts for which the password has been changed.

  5. If you have not received the OTP:

    1. Select No.

    2. The system will retry sending the OTP.

    3. After several attempts, you will be prompted to create a manual request for identity validation.

    4. Follow the instructions in Login Assistance by Requesting Identity Validation.

Login Assistance by Requesting Identity Validation

If all other options fail, you can request assistance for manual identity verification.

  1. When prompted, select Yes to create a request for manual identity verification.

     

  2. Provide the following details:

    • Message: Write a compelling and detailed message to the person who will vouch for your identity.

    • Share Email and Phone: Provide an email or phone number that you currently have access to. This does not need to be the same as the one configured in your profile.

    • Select a Person to Vouch for You: Choose someone who can confirm your identity.

       

  3. Once you have submitted the request:

    • The approver will receive the business request.

    • Upon approval, an OTP will be sent to the email or phone number you provided.

    • Follow the instructions to complete the login assistance process.

Login Assistance by Resetting MFA

If your MFA isn't functioning properly:

  1. The system locates the email and phone numbers registered for your account and sends a One-Time Password (OTP).

  2. If you have received the OTP, select Yes, as shown below, and then enter your passcode.

     

    Note: If you don’t receive the OTP, click No to trigger the Login Assistance by Requesting Identity Validation flow to help you log in.

  3. After OTP verification, you will receive a warning indicating that your existing MFA registrations will be deleted. Click Yes to continue.

     

  4. On the next screen, you will receive instructions to:

    • Open a browser in incognito mode.

    • Navigate to My Apps.

    • Register a new MFA for your account.

  5. Register your new MFA and attempt to log in again.