Self Service Anywhere for remote users
About Self Service Anywhere
Self Service Anywhere (SSA) extends Bravura Pass capabilities to users who are remote or disconnected from the corporate network. SSA enables self-service password, PIN, and encryption key recovery from any endpoint device, reducing support calls and service interruptions.
Bravura Pass includes key features to assist remote users:
Email notification to users about upcoming password expiry, since the notice displayed at the Windows login prompt is not shown to users away from the office.
Resetting forgotten passwords or PINs from the login prompt, even if the user is away from the office and is not physically attached to the Internet.
Resetting forgotten encryption keys for users whose PCs are protected with full disk encryption.
Smart card PINs for remote users.
Password reset via mobile phone.
Password expiry warning for remote users
Problem | Remote users may not receive Windows password expiry warnings if they seldom connect to the office network. This often results in unexpected account lockouts. |
Solution | Bravura Pass sends automated email notifications for imminent password expiry. Users change passwords using a web browser. |
The solution involves the following components:
Software | Purpose |
|---|---|
Notification Service (psntfsvc) | Updates the database with information about notification events and compliance rules, and runs plugins that:
|
User notifications (PSN) module | Displays password expiry messages in the Bravura Pass web interface. |
Change passwords (PSS) module | Enables users to change passwords for one or more of their accounts. |
Password Manager service | Queues password changes if target systems are temporarily unavailable. |
Bravura Pass Local Reset Extension | Updates cached credentials on local workstations. |
cgilocalr.exe / cgilocalr.cfg | Supplies HTML to the Change passwords (PSS) module and the S STATUS EXT plugin point. |
To set up self-service password reset for remote users:
Set up web-based password management features, including expiry notification.
Configure the Local Rest Extension.
Remote password reset
Problem | Users may forget a password set before leaving the office and cannot log in while off-network. IT support cannot intervene until the user reconnects. |
Solution | A Bravura Pass client software program allows users to connect over WiFi, AirCard, or other temporary Internet connections. A temporary VPN session and a kiosk-mode browser enable self-service password reset. The Local Reset Extension updates cached credentials to match the network password. |
The solution involves the following software:
Software | Purpose |
|---|---|
Change passwords (PSS) module | Enables users to change passwords for one or more of their accounts. |
Password Manager service | Queues updates if target systems fail. |
Login Assistant | Provides a secure kiosk account for off-network password reset. |
Local Reset Extension | Updates cached credentials on local workstations. |
cgilocalr.exe / cgilocalr.cfg | Supplies HTML to the Change passwords (PSS) module and the S STATUS EXT plugin point. |
To set up local self-service password reset for remote users:
Set up web-based password management features, including expiry notification.
Configure the Local Rest Extension.
Configure Login Assistant for remote users.
Full disk encryption (FDE) recovery
Problem | Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that a corporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlock their hard disk, before they can boot up an operating system. This password is normally synchronized with the user’s primary Windows password, so that the user only has to remember and type a single password at login. Users with encrypted disks cannot start their OS if they forget their disk unlock password, typically synchronized with their Windows login password. This is a serious service disruption for the user and can contribute to significant support costs for the IT help desk. |
IVR solution | Most FDE packages include a key recovery process at the PC boot prompt. This normally involves a challenge/response process between the FDE software, the user, an IT support analyst and a key recovery server. Bravura Pass can front-end this process using an integrated telephony option, so that users can perform key recovery without help desk intervention. |
Web solution | Users with access to the Bravura Pass web interface request challenge codes through the Unlock Encrypted Systems (HDD) module, which generates a response code to unlock the device. The relevant connector will use this challenge code to generate a response code that can be used to unlock the encrypted device. |
The components used in the solution depend on the type of FDE software and on your organization's other requirements. Connector Pack ships with connectors for systems including Check Point, McAfee EndPoint Encryption, and PGP Whole Disk Encryption (WDE).
The Check Point connector works with Phone Password Manager or a custom application to communicate between Check Point and Bravura Security Fabric servers.
The PGP WDE connector works with Phone Password Manager and an ActiveX control,
nplocalr, to update locally protected resources.
See also
Hard Drive Encryption Systems for information about configuring target systems for hard drive recovery.
Self Service Anywhere: Interactive Voice Response systems for general information about IVR solutions.
Phone Password Manager for details on installing and configuring the Bravura Pass IVR solution.
Configure the Local Reset Extension plugin for information about configuring
nplocalr.Self Service Anywhere: Encrypted systems accounts for information about configuring the web solution.
Smart card PIN reset
Problem | Organizations deploy smart cards to strengthen their authentication processes. Users typically sign into their PC by inserting their smart card into a reader and typing a PIN. Users who forget their smart card PIN cannot log in. Resetting PINs usually requires physical help desk intervention. |
Solution | Bravura Pass allows remote smart card PIN reset via a web portal or the locked-out workstation. An ActiveX component communicates with the smart card to reset the PIN. Temporary login passwords can be issued if the smart card is unavailable. |
The solution involves the following components:
Software | Purpose |
|---|---|
Change passwords (PSS) module | Enables users to change passwords for one or more of their accounts. |
Password Manager service | Queues changes if target systems fail. |
scpinplugin / HISCPINToolAX.ocx | Performs smart card PIN reset with policy enforcement. PIN strength checking can be done by checking the combinations of rules specified in a configuration file and the Bravura Pass password policy. |
To set up local self-service smart card PIN reset:
Set up web-based password management features.
Configure the smart card PIN reset plugin.
Low-cost multi-factor authentication (MFA) using mobile devices
Bravura Security Fabric supports secure secondary authentication for remote access using smartphones or personal email.
This solution is implemented using two technologies included with Bravura Security Fabric :
Managed enrollment: Users provide a mobile phone number, personal email, and/or install the Bravura One app.
Login workflow
Start with a CAPTCHA for off-network access.
Prompt for a login ID.
Fingerprint the user’s browser – if the indicated user has signed on successfully from the same browser before, this fact can act as an unobtrusive authentication factor.
If the user connects from a browser or location not seen before, prompt for another factor, which may be any of the following:
Third-party MFA token (e.g., RSA SecurID, Duo, Okta Verify)
Bravura One mobile app (push or QR challenge)
SMS PIN to registered phone
Email PIN to registered email
Users may select among multiple MFA options.
Prompt for the password or answer security questions.
See Mobile Access for detailed information about installing and configuring Bravura One.