Authenticate with Defender
You can use this activity to configure Password Manager to use Defender to authenticate users.
Defender is a two-factor authentication solution that authenticates users without forcing them to remember another new password. Defender uses one-time passwords (OTP) generated by special hardware or software tokens. Even if an attacker captures the password, there will be no security violation, since the password is valid only for one-time-use and can never be re-used.
You can use the Defender authentication to authenticate users before resetting their passwords or unlocking their Q&A profiles.
Before configuring the settings in this activity, install and configure Defender as described in the Defender documentation.
|IMPORTANT: To make Password Manager use the Defender authentication, you must install the Defender Client SDK on the server on which Password Manager Service is installed.
This activity has the following settings:
- Defender Server (IP address or DNS name). Specify Defender Server IP address or DNS name.
- Port number. Type the port number that the Defender Access Node uses to establish a connection with the Defender Server.
- Server timeout. Specify Defender Server time-out (in minutes).
- Defender shared secret. Provide the secret that the Defender Access Node will share when it attempts to establish a connection with the Defender Server.
Authenticate with RADIUS Two-Factor Authentication
Use this activity to configure Password Manager to use a RADIUS server for two-factor authentication.
It uses one-time passwords (OTP) generated by hardware or software tokens for authentication.
You can use RADIUS Two-Factor Authentication to authenticate users before allowing them to reset or change their passwords, to unlock accounts, or manage Questions and Answers profiles.
Before using RADIUS Two-Factor Authentication for authentication, users have to configure it in General Settings tab on the home page of the Administration site. For more information, see RADIUS Two-Factor Authentication .
This section describes activities that provide core actions of the helpdesk workflows, such as Reset password in AD LDS, Unlock account, etc.
Reset Password in AD LDS
Reset Password in AD LDS
This is a core activity of the Reset Password workflow. The activity allows helpdesk operators to reset user passwords in AD LDS instances only. If you want to enable helpdesk operators to reset passwords in several systems, configure the Reset password in AD LDS and connected systems activity. For more information on configuring this activity and using One Identity Quick Connect Sync Engine, see Reset Password in AD LDS and Connected Systems.
In this activity you can configure the Enforce password history option. Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused.
Before selecting this option, you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled:
- Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value.
- Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know.