What happens when users log in
When users are on the log in page of their workstations and use the Login Assistant, the runurl program is executed. If you are using the domain-level secure kiosk account, this program may be running from a shared volume or public network share (typically on the Bravura Pass server, or each logon server’s netlogon or sysvol share).
If you are using a local secure kiosk account, this program is loaded from the local workstation.
The runurl program locks down workstations by intercepting certain input event types (keyboard, mouse), and starts a web browser in kiosk mode with the appropriate URL. Bravura Pass determines from the URL that the incoming request is for a secure kiosk account (SKA) and displays a special, locked-down skin. Users then authenticate to Bravura Pass using security questions or some other authentication method to change their forgotten passwords.
When the Login Assistant is launched, the login ID of the domain user that is currently logged into Windows is automatically passed to the URL so that the domain user does not need to retype it in the Login Assistant. The login ID is passed to the URL when any of the following occurs:
The user changes their password by pressing Ctrl+Alt+Del and then clicking Change a Password .
The workstation is locked and the user enters an invalid password to log back into Windows, then clicks OK to change the password using Bravura Pass .
The user attempts to log into their account when it is locked, then clicks OK to unlock the account using Bravura Pass .
The domain user’s password is soon to expire or already expired, and the user enters the correct password to log in to Windows and clicks OK to change the password.
Note
The soon-to-expire, expired, account-locked and password-change cases are not supported by the Credential Provider.
Best practice
Access to self-service password reset should be available at the workstation login screen, which means deploying Login Assistant to all workstations. If significant numbers of users work off-site and sign into their workstation with cached AD domain credentials, then integrate Login Assistant with the corporate VPN, to enable password reset and update of cached credentials when off-site. This process is further described in Self-Service Anywhere (SSA) for remote users.
SSA also includes the installation of the Local Rest Extension, which allows Login Assistant to trigger updates to locally cached passwords after a successful password reset.
Since Login Assistant is most often used for forgotten passwords, a secure and easy-to-use second authentication method should be configured for Login Assistant users that does not include password authentication. An example of multi-factor authentication to use for Login Assistant users, would be requiring users to answer their security questions followed by QR code verification using the mobile Bravura One app .
User experience
When using the Login Assistant on a corporate network for a forgotten password, the user experiences the following:
User: opens their workstation to the user log in screen.
User: triggers the Login Assistant by clicking an available "forgotten password" tile or link on the user log in screen.
Login server: opens a web browser for the user with the appropriate Bravura Pass application URL.
User: authenticates to Bravura Pass using the configured multi-factor authentication, such as security questions and QR code verification through the mobile Bravura One app .
User: clicks Change Passwords on their self-service Bravura Pass home page.
User: successfully changes their password.
Bravura Pass : synchronizes the new password with the corporate domain and any other accounts attached to the user’s Bravura Pass profile.
User: closes the web browser and is returned to the user log in screen.
User: logs in to their workstation using the new password. Since the workstation is connected to the corporate network, the workstation verifies the new password against their corporate domain password and successfully grants the user access. The locally cached Windows workstation password is updated automatically when the user successfully logs in to the workstation.