1. Managing Passwords for Mobile Users 2014 Hitachi ID Systems, Inc. All rights reserved.

2. Knowledge workers are increasingly mobile, and frequently have to connect to internal I.T. resources from outside the enterprise network. Mobile users must manage passwords both on their own notebook computers and on networked systems. Managing passwords for mobile users is more challenging than managing passwords to network-attached users. Unique technical problems include managing local passwords on thousands of devices, coping with cached credentials and supporting mobile users who forgot their initial sign-on password. This document describes how Hitachi ID Password Manager addresses the technical challenges of manag- ing passwords for mobile users. Contents 1 Condentiality 1 2 Introduction 2 3 Making Routine Changes to Local Passwords 3 3.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 When Users Forget Their Initial Password 4 4.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2 The Solution for Network-attached Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.3 Solutions for Mobile Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5 When Users Forget Their Remote-access Password 9 5.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6 Conclusions 11 7 References 12 7.1 Setting Up Roaming Proles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.2 IVR Vendors and Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.3 Authenticating Remote Users with Hardware Tokens . . . . . . . . . . . . . . . . . . . . . . 13 7.4 Self-Service from the Login Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 i 3. Managing Passwords for Mobile Users 1 Condentiality This document describes key technology developed by Hitachi ID Systems to support customer require- ments for an enterprise-class, high-availability, high-throughput password synchronization system. This technology is proprietary, and the design considerations described herein are not widely understood in the password management, and in particular in the password reset market segment. Moreover, patent applications have been led regarding some of the technology described herein. This document is made available to current and prospective Hitachi ID Systems customers to help them understand how best to select and deploy an effective password synchronization system. In an effort to maintain Hitachi ID Systemss technological lead in the password management market seg- ment, the reader is asked to refrain from discussing detailed design objectives and solutions herein with other vendors of provisioning, identity management or password management technologies. Please keep this document condential. 2014 Hitachi ID Systems, Inc.. All rights reserved. 1 4. Managing Passwords for Mobile Users 2 Introduction Knowledge workers are increasingly mobile, and frequently have to connect to internal I.T. resources from outside the enterprise network. Mobile users must manage passwords both on their own notebook computers and on networked systems. Managing passwords for mobile users is more challenging than managing passwords to network-attached users. Unique technical problems include managing local passwords on thousands of devices, coping with cached credentials and supporting mobile users who forgot their initial sign-on password. This document describes how Hitachi ID Password Manager addresses the technical challenges of manag- ing passwords for mobile users. The remainder of this document is organized into sections that describe challenges specic to managing passwords for mobile users, and how Password Manager addresses each problem. Managing local passwords Managing local passwords using a network-attached password management system. When users forget their initial password Providing self-service assistance to users who forget their initial password, including both network- attached and off-line users. When users forget their remote-access password Providing self-service assistance to off-site users who forgot or disabled the password they use to connect to the network. Conclusions A summary of the challenges of password management for mobile users, and of Password Manager solutions. References Relevant reference material on the Internet. 2014 Hitachi ID Systems, Inc.. All rights reserved. 2 5. Managing Passwords for Mobile Users 3 Making Routine Changes to Local Passwords 3.1 The Problem Users with xed PCs in a networked environment typically log into their workstations with a login ID and password that are actually validated by a network operating system, such as a Windows Active Directory or Novell NetWare NDS / eDirectory. This is convenient, because a networked password management system does not have to directly interact with user IDs or passwords stored on individual PCs. Instead, it simply manipulates passwords on the network operating system or directory. In contrast, mobile users must be able to sign into their workstations even when they are not connected to the network. That means that they must either be able to log into their workstation without a password, or else their login ID and password must be physically stored on their own computer. User IDs and passwords that are managed locally on a workstation may either be local to that computer, or else they may be cached copies of credentials that are normally maintained on a network operating system or directory (Active Directory, eDirectory, etc.). In either case, a central, networked password management system must be able to update passwords stored on individual computers. This implies either sophisticated technology to reach back to workstations, or software that is installed on each and every mobile computer. 3.2 Solutions In most corporate environments, users sign into disconnected workstations with cached network creden- tials. In this case, the problem of managing local passwords is somewhat reduced, as users are normally prohibited from changing their passwords while off-line. If mobile users log into their workstations with a local ID, rather than a cached copy of a network ID, then Hitachi ID Password Manager can use an Active-X component to reset local passwords. This component is only available for web-based, self-service password updates (both routine changes and resets due to a forgotten password). Since an interactive web browser session is required, this method is not suitable for use with transparent password synchronization, for assisted password resets, or for telephony- based password resets, none of which involve a web browser session on the users workstation. The component is inserted into the password reset results page. It is downloaded by the users web browser (Note: only IE supports Active-X components), and executes locally on the users workstation. To run, it may either use a network administrator account with local privileges on each workstation, or else a local administrative account must be congured on each workstation, and be available for this component. An installation program is available with Password Manager to create a local administrator account on each workstation, and to set its password to a random value. This program can be used in conjunction with a software distribution system like SMS to create a suitable account on every workstation where it may be required. 2014 Hitachi ID Systems, Inc.. All rights reserved. 3 6. Managing Passwords for Mobile Users 4 When Users Forget Their Initial Password 4.1 The Problem When users forget a password or accidentally trigger an intruder lockout, their problem is frequently with their initial login. This presents some special problems: Self-service solutions are generally web based, and this is true of password reset systems as well. Users who need to access a self-service system for password reset therefore need access to a web browser. If their problem is with their initial login, then they dont yet have access to their own desktop, and so cant launch a web browser. As a result, users who forget their own password cannot, without special measures, easily take ad- vantage of a self-service solution. The above problems are true of connected ofce workers, as well as mobile users. For mobile users, a self-service password reset system has extra challenges: The self-service system must be accessible from the login prompt of workstations that are not yet network attached. This requires a client software footprint. The self-service client software must establish a network connection to the server component with- out much user input. The self-service system must be able to reset local passwords, as described in Section 3 on Page 3. 4.2 The Solution for Network-attached Users For network-attached users, this problem can be overcome in several ways: When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to x their password and make it possible to log in. Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked out of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described below: Option Pros Cons 1 Do nothing: users continue to call the help desk. Inexpensive, nothing to deploy. The help desk continues to eld a high password reset call volume. No solution for local passwords or mobile users. 2014 Hitachi ID Systems, Inc.. All rights reserved. 4 7. Managing Passwords for Mobile Users Option Pros Cons 2 Ask a neighbor: Use someone elses web browser to access self-service password reset. Inexpensive, no client software to deploy. Users may be working alone or at odd hours. No solution for local passwords or mobile users. Wastes time for two users, rather than one. May violate a security policy in some organizations. 3 Secure kiosk account (SKA): Sign into any PC with a generic ID such as help and no password. This launches a kiosk-mode web browser directed to the password reset web page. Simple, inexpensive deployment, with no client software component. Users can reset both local and network passwords. Introduces a generic account on the network, which may violate policy, no matter how well it is locked down. One user can trigger an intruder lockout on the help account, denying service to other users who require a password reset. Does not help mobile users. 4 Personalized SKA: Same as the domain-wide SKA above, but the universal help account is replaced with one personal account per user. For example, each users help account could have their employee number for a login ID and a combination of their SSN and date of birth for a password. Eliminates the guest account on the domain, which does not have a password. Requires creation of thousands of additional domain accounts. Requires ongoing creation and deletion of domain accounts. These new accounts are special their passwords do not expire and would likely not meet strength rules. 5 Local SKA: Same as the domain-wide SKA above, but the help account is created on each computer, rather than on the domain. Eliminates the guest account on the domain. Can be congured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Requires a small footprint on each computer (the local help account.) 2014 Hitachi ID Systems, Inc.. All rights reserved. 5 8. Managing Passwords for Mobile Users Option Pros Cons 6 Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password. Simple deployment of centralized infrastructure. No client software impact. May leverage an existing IVR (interactive voice response) system. Helpful for remote users who need assistance connecting to the corporate VPN. New physical infrastructure is usually required. Users generally dont like to talk to a machine so adoption rates are lower than with a web portal. Does not help mobile users who forgot their cached domain password. Does not help unlock PINs on smart cards. 8 Physical kiosks: Deploy physical Intranet kiosks at each ofce location. Eliminates generic or guest accounts. May be used by multiple applications that are suitable for physically-present but unauthenticated users (e.g., phone directory lookup, badge management, etc.). Costly to deploy hardware at many locations. Does not help mobile users who forgot their cached domain password. Users may prefer to call the help desk, rather than walking over to a physical kiosk. 9 GINA DLL: Windows XP: Install a GINA DLL on user computers, which adds a reset my password button to the login screen. User friendly, intuitive access to self-service. Can be congured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Works on Windows Terminal Server and Citrix Presentation Manager. Requires intrusive software to be installed on every computer. Broken installation or out-of-order un-installation will render the computer inoperable (i.e., brick the PC). 10 GINA Extension Service: Similar to the GINA DLL, but uses a sophisticated service infrastructure to modify the UI of the native GINA, rather than installing a GINA DLL. User friendly, intuitive access to self-service. Can be congured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). More robust, fault-tolerant installation process than the GINA DLL. Requires software to be installed on every computer. Does not work on Citrix Presentation Server or Windows Terminal Server only works on personal computers. 2014 Hitachi ID Systems, Inc.. All rights reserved. 6 9. Managing Passwords for Mobile Users Option Pros Cons 11 Credential Provider: The equivalent of a GINA DLL, but for the login infrastructure on Windows Vista/7/8. User friendly, intuitive access to self-service. Can be congured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Works on Windows Terminal Server and Citrix Presentation Manager. More robust infrastructure than GINA DLLs on Windows XP. Deployment of intrusive software to every workstation. No other product or vendor supports as many options for assisting users locked out of their PC login screen. 4.3 Solutions for Mobile Users When users are off-site and not connected to the corporate network, they can use a telephony solution IVR to reset a VPN password. This does not resolve problems users may encounter with their local workstation passwords or with cached domain passwords. A LSKA (local, secure kiosk account) , GINA extension service or credential provider are available to assist mobile, off-site users who have forgotten the password they use to sign into their own workstation. These solutions establish a temporary network connection, launch a locked-down web browser and enable the user to authenticate to Hitachi ID Password Manager with something other than their domain or VPN pass- word. Once authenticated, the user can reset their password(s) both on network services and locally on their workstation (via ActiveX). Password Manager software installed on a users Windows laptop enables password reset while away from the ofce, as follows: The users PC is not physically attached to any network the user may be at an airport, coffee shop, etc. The user is faced with a login screen to which he does not know the password. The users (forgotten) AD password is cached on the PC, to allow logins while away from the corporate network. If the LSKA is deployed, The user signs into his workstation with the user name help and no pass- word. If the GINA (Graphical Identication and Authentication library) extension service or Credential Provider is deployed, the user presses a button on the Windows login screen with a label such as I forgot my password. 2014 Hitachi ID Systems, Inc.. All rights reserved. 7 10. Managing Passwords for Mobile Users The Password Manager client software service is started and detects (a) that there is no physical network connection but also (b) the PC has a wireless network adapter. Password Manager scans for available WiFi hot-spots and asks the user to select one. They are ordered by signal strength, so the user normally chooses the rst one (nearest AP; often public). The users web browser is launched and the user may have to register, pay or accept the terms of use of the network provider. Once the users PC is on the Internet, Password Manager will launch a temporary VPN connection to the corporate network. Password Manager will launch a kiosk-mode web browser to the password reset web portal. Since the browser is in kiosk mode, the user cannot navigate to any other URL. The user will perform a password reset in this web browser session. This will include self-identication, some form of non-password authentication (e.g., CAPTCHA + security questions + mobile phone SMS PIN) and selection of a new password. Password Manager will use an ActiveX to re-authenticate the users PC to the domain, over the VPN. This has the desirable side-effect of updating the cached password on the users PC. The user closes the kiosk-mode web browser. This also disconnects the VPN and terminates the WiFi session. The user is able to sign into his PC with his new password, which has been applied both at work and to the local cache. Please note that the WiFi elements in the above sequence are optional. The user may be at work, or at home with a wired Internet connection, or using an AirCard (cell modem), or in a hotel with a wired connection. All of these alternatives also work essentially as described above. The net effect of this solution is that a solution can be deployed as follows: A lightweight software package is deployed to every notebook computer (i.e., a small package that does not necessarily alter the GINA). Users who forget their initial password can type help at the login prompt. This works when they are already attached to the corporate network, and also when they are off-site, and physically attached to a phone line or broadband connection, but not yet signed onto the corporate network. Users may also be able to press a button in the GINA to request password assistance. This requires a somewhat more invasive client software package, but is also somewhat more user friendly. Once a user types help, he may have to wait for the client component to sign onto the network. Once signed-in, the user is presented with a kiosk-mode web interface to identify himself, authenticate, and reset passwords on both the network and his own PC. This part of the process is the same for both off-site and on-site users. 2014 Hitachi ID Systems, Inc.. All rights reserved. 8 11. Managing Passwords for Mobile Users 5 When Users Forget Their Remote-access Password 5.1 The Problem Mobile users normally have to attach to the corporate network periodically. This is normally done either with a dial-up session (RAS) or using a virtual private network over the Internet (VPN). When users make RAS or VPN connections, they have several authentication options, including: Typing a password. Using a saved password stored in the dialer on their PC. Using a PKI certicate stored on their PC. Using a hardware token. If users must type their password, and if they forget that password or trigger intruder lockout, they should access a self-service password reset system to x their problem, rather than calling the help desk. Token users who forget their PIN, or whose token clock drifts too far away from the authentication servers clock have similar problems with authenticating to the network. The problem here is that the user is not connected to the network, so it may be difcult to use a web-based solution. 5.2 Solutions Hitachi ID Password Manager supports several solutions for users who have a problem with their remote- access password: Using an IVR system, a user can identify himself, authenticate and reset one or more passwords with just a telephone. Password Manager integrates with many IVR systems, including general-purpose ones that a cus- tomer may have, and specially-designed secure IVR systems that leverage biometric voice print veri- cation or hardware token authentication. For existing IVR systems, Password Manager integrates by providing a secure, remote function call library that the call logic on the IVR server can use to authenticate users and reset their passwords. Integrated solutions for biometric caller authentication are available directly from Hitachi ID Systems or from vendors such as Vocent. Hitachi ID Telephone Password Manager, a single-purpose IVR system, that can only perform pass- word resets, is also available directly from Hitachi ID Systems. For Internet-attached users, who must authenticate to a VPN, the Password Manager web interface can be exposed on a companys Extranet. This can be done by placing the Password Manager server in a DMZ, or using a reverse web proxy to access it on the private network. 2014 Hitachi ID Systems, Inc.. All rights reserved. 9 12. Managing Passwords for Mobile Users With this setup, users can reset their own forgotten VPN passwords over the Internet, and the establish a VPN connection using the new password. Using client software and a dialer, as described in Subsection 4.3 on Page 7, workstations can be congured to dial-in or connect with a VPN using stored, special-purpose credentials. Such a con- nection can be made available to users with a locally-dened kiosk account, where users who forgot their RAS password can type help, authenticate, and reset their RAS password with a web browser. 2014 Hitachi ID Systems, Inc.. All rights reserved. 10 13. Managing Passwords for Mobile Users 6 Conclusions Both routine password management and self-service password resets present special technical challenges when applied to mobile users. These challenges include: Managing workstation passwords. Accessing a self-service password reset from disconnected workstations. Accessing a self-service password reset prior to establishing a working network connection. Hitachi ID Password Manager includes technologies to address each of these problems: An Active-X component to reset local passwords. A workstation-installed secure kiosk account, that can activate a dialer or VPN client prior to present- ing a user interface. Integration with IVR systems and Extranets to reset RAS and VPN passwords. While it is more difcult to setup effective password management for mobile users than for network-attached users, the payoff is higher. This is because problems experienced by mobile users are more difcult and costly to solve with traditional assisted-service methods. 2014 Hitachi ID Systems, Inc.. All rights reserved. 11 14. Managing Passwords for Mobile Users 7 References 7.1 Setting Up Roaming Proles Guide to Windows NT policies and proles, which makes mention throughout of roaming proles: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q161334 Creating roaming proles for various Windows operating system versions: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q142682 Novell NetWares ZenWorks can be congured to create volatile users on a workstation when a user signs onto it with an ID that exists on the NDS tree but not locally. These are normally deleted at the end of a login session. The NetWare client can be congured to create non-volatile users which persist for a nite number of days beyond the initial network login session, and be available for off-line use. Since non-volatile users are local to the workstation, users can change these passwords while off- line. The changed password is not automatically synchronized to the network password on the next connected login session. To nd out more about local user accounts created by a NetWare client, please refer to: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10062222.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2927129.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2928061.htm 7.2 IVR Vendors and Systems General purpose: Avaya / Lucent: http://www1.avaya.com/enterprise/who/docs/ivr/ InterVoice-Brite: http://www.intervoicebrite.com/ Apropos: http://www.apropos.com/ With biometric authentication. Vocent: http://www.vocent.com/ Nuance: http://www.nuance.com/ Special-purpose password reset IVR system: 2014 Hitachi ID Systems, Inc.. All rights reserved. 12 15. Managing Passwords for Mobile Users Hitachi ID Telephone Password Manager, using either touch-tone caller authentication or biomet- ric voice print verication: http://Hitachi-ID.com/products/addons/idtelephony.html 7.3 Authenticating Remote Users with Hardware Tokens RSA / SecurID: http://www.rsasecurity.com/products/securid/ Secure Computing / SafeWord: http://www.securecomputing.com/index.cfm?sKey=688 7.4 Self-Service from the Login Prompt Replacing the GINA: http://www.microsoft.com/WINDOWS2000/techinfo/administration/security/msgina.asp Using a secure kiosk account: http://Hitachi-ID.com/Password-Manager/technology/arch-login.html www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/psynch/documents/mobile_users/mobile_users_4.tex Date: February 20, 2006