I have enabled the passphrase security system. What happens if a user forgets their passphrase answer?

  • 7940113
  • 19-Aug-2009
  • 22-Feb-2016

Environment

SecureLogin
SecureLogin SSO
All Versions
MS AD, LDAP, NT4, Citrix, Terminal Services

Situation

An organization using SecureLogin deployed it with user defined passphrases enabled. A user went on vacation and forgot their network password. When they returned to work, they rang the Helpdesk to get their ADS/network password reset.

When they logged onto the network with the new password (reset by the ADS administrator) they were prompted to enter their SecureLogin passphrase as expected (to protect the user from administrators changing their ADS password and accessing their SecureLogin secrets).

However, the user forgot their passphrase answer so SecureLogin will not load. Helpdesk staff advised the user to try different variations of the passphrase as it is case sensitive but they couldn’t remember the answer.

Resolution

To clear SecureLogin data select "delete single sign on configuration for this data store object" on the "advanced" tab of your SecureLogin directory administration tool.

When the user restarts SecureLogin, they will be prompted to enter a new passphrase just like they are a new SecureLogin user.

Note: The passphrase is case sensitive and many users don’t remember this fact. You can apply a password policy to a passphrase (using MMC snapins) that forces the passphrase to contain only 1 uppercase character, and the first letter must be uppercase. This means you can be sure of the case of the passphrase when talking the user through passphrase related issues.

Be aware that setting a policy will limit the types of answers a user can enter E.g. car registration may start with a number etc. When all is said and done, user education and IT guidelines/documentation are crucial.

Additional Information

Root Cause

Passphrase questions were not predefined so the user had entered their own question ""What movie did I watch last night?"". They haven’t had their ADS password reset previously so they haven’t been prompted to enter their passphrase answer before. Obviously the answer to this question could be almost anything. These passphrase questions are difficult to answer unless the user remembers the movie they watched the day before they created their passphrase (to avoid this issue ActivIdentity Professional Services recommend predefining the list of questions if enabling the passphrase answer).

In the event a user forgets their passphrase answer their SecureLogin data, including their passphrase, will need to be cleared by an administrator. When the passphrase is cleared, all of their SecureLogin secrets, including application usernames and passwords, are lost. The next time SecureLogin starts, it will detect a passphrase has not been set, and will re-prompt the user to enter a new passphrase question and answer combination before continuing.

Once the user has set a new passphrase, due to the secure nature of SecureLogin, they will have to reenter their application usernames and passwords. If this was not the case, an unauthorized user could breach security by simply clearing your passphrase, entering a new one and accessing your secrets. Application administrators may have to reset the user’s application passwords as they will probably have forgotten them.