Identity Verification in ADSelfService Plus

ADSelfService Plus is a secure, web-based, end user password reset management program. With ADSelfService Plus, end users can perform various simple yet important tasks like: Password reset, Account Unlock, Self-update and much more, without any assistance from helpdesk personnel.

Need for Identity Verification

Allowing end users to reset their password or unlock their account carries a certain amount of risk, as it increases the possibility of an attack from a malicious user. To ensure that only the intended users are allowed access to the self-service password reset/account unlock application, users need to prove their identity. An attacker can gain access to user accounts if strong identity verification procedures are not deployed.

Identity Verification via SMS/E-mail based Two-factor Authentication

ADSelfService Plus provides enhanced security when end users perform Password Reset /Account Unlock through two-factor authentication, a system that makes it much harder for hackers to capture valid credentials of a user account. The two-factors are:

• Security Q&A - Knowledge factor (Something the user only knows)
• SMS/E-mail Verification Codes - Possession factor (Something the user only has)

To prove his identity, a user has to enter the correct verification code that he received through SMS/e-mail and/or answer the set of predefined Security Questions. Only after establishing his identity, the user will be able to reset his password or unlock his account.

Identity Verification via Two-factor Authentication- How it works?

Basic Security Checks:

The Identity Verification process starts when the user accesses the ADSelfService Plus application and clicks on the Reset Password or Unlock Account link. The user is asked to enter his username and the select the domain he belongs to. ADSelfService Plus server performs a series of security checks in the background which establishes the user's identity.

• Domain Affiliation Check - Checks whether the user is affiliated to a domain.
• Policy Settings Check - Checks whether the user has permission to Reset Password/Unlock Account through ADSelfService Plus. ADSelfService Plus policies can be configured in such a way that only certain necessary features are made available to the end-user. This ensures that only those users who are deemed eligible for Password Reset/Account Unlock by the ADSelfService Plus administrator are allowed to do so.
• Enrollment Status Check - Checks whether the user has enrolled with ADSelfService Plus by answering the Security Questions and/or by updating his Mobile Number/E-mail id. Only enrolled users are allowed to Reset Password/Unlock Account.
• Blocked Users Check - Checks whether the user account has been blocked by ADSelfService Plus server. Users who fail to enter the correct Verification Code and/or Answer(s) to the Security Question(s) will be blocked by the application after certain number of attempts as set by the ADSelfService Plus administrator. This ensures security from various attacks like 'Bot-based attacks', 'Denial-of-service attacks', etc.

Two-factor Authentication:

SMS/E-mail based Verification Code Check

Once the initial security checks are completed, and if found to be successful, the user is allowed to proceed to the next step in which he chooses either his Mobile Number or E-mail id to receive the verification code. ADSelfService Plus server sends a one-time verification code via SMS/E-mail based on the user's choice. Once the user enters the correct verification code, he is allowed to proceed further.

If the user fails to produce the correct verification code for 'x' number of times, the user will be blocked from using the ADSelfService Plus Reset Password/Unlock Account feature for a specific period of time. ADSelfService Plus administrators can define the threshold for unsuccessful attempts and also the lockout period.

Security Q & A Check

To add more muscle to the Identity Verification process, ADSelfService Plus also incorporates Security Questions and Answers to successfully establish a user's identity. A user enrolls with ADSelfService Plus by answering a series of Security Questions. The answers are stored securely using encrypted formats in the ADSelfService Plus database. The user is asked the same set of Security Questions answered by the user in the enrollment phase during the Identity Verification process. The answers provided by the user are compared with the answers stored in the ADSelfService Plus database. When all the Security Questions are answered correctly, the user is allowed to reset his password/unlock his account.

If the user provides incorrect answer(s) to the Security Question(s) 'x' number of times, the user will be blocked for a specific period of time just like in the previous step.

E-mail Notification upon Password Self-Service:

The user receives an e-mail notification from ADSelfService Plus server about the Reset Password/Account Unlock event, if it has been enabled by the ADSelfService Plus administrator. The e-mail notification acts as an alert in case of an unauthorized Reset Password/Unlock Account event and allows the user to react and prevent further damage.

Benefits

• Added layer of security - Due to the growth of technology, especially Social Media, it is easy to gain access to a user's personal information. Since Security Questions are usually based on the user's personal information, guessing answers to such questions becomes that much easier. By adding Verification code to the identity verification process, the security of the Reset Password/Unlock Account process is enhanced.
• User Friendly - Users have complete and easy access to their e-mail and mobile phone almost all the time. So, receiving verification code through these two mediums is easy.
• Power to the Administrator - Administrators have complete control on whether to choose any one of the authentication mode or both for added security.