User Identity Verification in ADSelfService Plus
ADSelfService Plus is a secure, web-based, end user password reset management program. With ADSelfService Plus, end users can perform various simple yet important tasks like: Password reset, Account Unlock, Self-update and much more, without any assistance from helpdesk personnel.
Need for Identity Verification
Allowing end users to reset their password or unlock their account carries a certain amount of risk, as it increases the possibility of an attack from a malicious user. To ensure that only the intended users are allowed access to the self-service password reset/account unlock application, users need to prove their identity. An attacker can gain access to user accounts if strong identity verification procedures are not deployed.
Identity Verification via SMS/E-mail based Two-factor Authentication
ADSelfService Plus provides enhanced security when end users perform Windows Active Directory Password Reset/Account Unlock through two-factor authentication, a system that makes it much harder for hackers to capture valid credentials of a user account. The two-factors are:
To prove his identity, a user has to enter the correct verification code that he received through SMS/e-mail and/or answer the set of predefined Security Questions. Only after establishing his identity, the user will be able to reset his password or unlock his account.
Identity Verification via Two-factor Authentication- How it works?
Basic Security Checks:
The Identity Verification process starts when the user accesses the ADSelfService Plus application and clicks on the Reset Password or Unlock Account link. The user is asked to enter his username and the select the domain he belongs to. ADSelfService Plus server performs a series of security checks in the background which establishes the user's identity.
SMS/E-mail based Verification Code Check
Once the initial security checks are completed, and if found to be successful, the user is allowed to proceed to the next step in which he chooses either his Mobile Number or E-mail id to receive the verification code. ADSelfService Plus server sends a one-time verification code via SMS/E-mail based on the user's choice. Once the user enters the correct verification code, he is allowed to proceed further.
If the user fails to produce the correct verification code for 'x' number of times, the user will be blocked from using the ADSelfService Plus Reset Password/Unlock Account feature for a specific period of time. ADSelfService Plus administrators can define the threshold for unsuccessful attempts and also the lockout period.
Security Q & A Check
To add more muscle to the Identity Verification process, ADSelfService Plus also incorporates Security Questions and Answers to successfully establish a user's identity. A user enrolls with ADSelfService Plus by answering a series of Security Questions. The answers are stored securely using encrypted formats in the ADSelfService Plus database. The user is asked the same set of Security Questions answered by the user in the enrollment phase during the Identity Verification process. The answers provided by the user are compared with the answers stored in the ADSelfService Plus database. When all the Security Questions are answered correctly, the user is allowed to reset his password/unlock his account.
If the user provides incorrect answer(s) to the Security Question(s) 'x' number of times, the user will be blocked for a specific period of time just like in the previous step.
E-mail Notification upon Password Self-Service:
The user receives an e-mail notification from ADSelfService Plus server about the Reset Password/Account Unlock event, if it has been enabled by the ADSelfService Plus administrator. The e-mail notification acts as an alert in case of an unauthorized Reset Password/Unlock Account event and allows the user to react and prevent further damage.