Skip to main content

Enabling password changes from a login prompt

The following two sections provide an overview of steps required to enable password changes from a login prompt using Bravura Pass and either a domain-level secure kiosk account, or workstation secure kiosk account.

Domain-level secure kiosk account

To implement password changes from a login prompt using a domain-level SKA:

  1. Create the domain help user .

  2. Remove the help account from the Bravura Security Fabric account list, to prevent users from changing the help account password or attaching the ID.

  3. Optional: Install Login Assistant software on users’ workstations to allow them to access the domain help account.

Alternatively, if you do not want to install software on users’ workstations, carry out steps outlined in Setting up on a Domain (No Workstation Software) and educate users to use the help account manually.

Workstation secure kiosk account

To implement password changes from a login prompt using a workstation-level SKA, use the installer for Windows to create the help account and install the required Login Assistant software on users’ workstations.

See:

Best practice

Configure a special VPN account with a static password, which Login Assistant will use to connect to the network and update locally-cached passwords when users are off-site.

Presuming that the VPN service you use is capable of this, apply the following limits to this account on the VPN server side:

  1. Create a new, dedicated read-only AD domain controller (DC).

  2. Configure Bravura Pass to always push new AD password resets to this DC along with any others.

  3. Configure the VPN user to only be able to access:

    1. The IP of this DC (all TCP ports).

    2. The HTTPS URL of Bravura Pass – typically via a load balancer.

  4. Set a connection timeout on the VPN user to 10 minutes.

  5. Disable intruder lockouts on the VPN user, to minimize the potential for a denial-of-service attack on user access to self-service.

In this section: