Skip to main content

About Login Assistant

Login Assistant enables password reset and account unlock from the Windows login screen by launching a restricted browser session associated with a secure kiosk account. It supports both on-network and remote users, and integrates with multi-factor authentication as configured in Bravura Pass.

Login Assistant software

Login Assistant is composed of:

  • The secure kiosk account (SKA), used to launch the restricted session

  • The runurl client, whcih starts the locked-down browser

  • Windows Credential Provider extensions (Windows 8 and later), which present a “Change my password” tile on the login screen

Secure kiosk account deployment options

There are two main methods that you can use to implement a secure kiosk account (SKA):

  • Domain-level SKA

    A domain-level account is created in Active Directory, typically with a help login ID. A restrictive security policy is applied to prevent access to operating system features and network resources. Users authenticate to this account only indirectly through the Login Assistant tile.

  • Workstation-level SKA

    A local help account is created on each workstation. The account is granted the Log on locally right and configured so that logging in launches the secure kiosk environment. This avoids dependency on domain connectivity at login time.

Both SKA types work with the Credential Provider extension.

Credential Provider integration for Windows

The Bravura Pass Credential Provider extension provides a Change my password tile on the Windows login screen. Users can click Switch User or Other Credentials to access the tile.

Selecting the tile or logging in directly with the help account launches:

  1. A restricted SKA session

  2. The runurl program

  3. A locked-down browser pointed at the Bravura Pass password change URL

Bravura Pass detects the request as originating from an SKA and loads a special constrained interface. Users then authenticate using configured methods (e.g., security questions, mobile QR verification).

The Credential Provider extension works with both the local and domain-level help accounts.

Note

Password-expiry prompts, account-locked prompts, and similar scenarios are not supported by the Credential Provider tile, but are supported when users attempt to log in directly and are redirected to Login Assistant.

ska-tile

When the user clicks on the tile or logs in with the help account, Login Assistant starts a web browser with the help account’s limited permissions and security profile.

Remote access support

Login Assistant supports off-network scenarios where users cannot authenticate to the corporate domain. When launched, the client checks for Internet connectivity using the external URL configured during installation.

If no connection is detected, users are prompted to choose a connection method:

  • Wired - attempt another direct connection

  • WiFi - allow the user to select a WiFi network

  • AirCard - open the third-party connection utility for a wireless broadband device

ska-select-connection

If WiFi is selected, the Login Assistant displays a list of detected networks, allowing the user to select one and potentially enter a network key.

ska-select-network

A Hidden Network... button allows the user to specify an SSID and password for a hidden wifi connection.

If AirCard is selected, the Login Assistant will display the third party application. Once the user has connected the application will disappear.

Once connected, Login Assistant operates normally and opens the Bravura Pass web interface.

What happens when users log in

When Login Assistant is triggered:

  1. The runurl program starts from either a shared network location (domain-level SKA) or the local workstation (workstation-level SKA).

  2. The runurl program restricts input events (keyboard, mouse) to lock down the workstation.

  3. A browser opens in kiosk mode at the designated Bravura Pass URL.

  4. The user is authenticated using the configured MFA sequence (e.g., security questions + mobile app).

  5. The user resets their password or unlocks their account.

  6. Bravura Pass synchronizes the password with the corporate domain and any connected systems.

  7. The browser closes, returning the user to the Windows login screen.

  8. The user logs in with their new password.

Login ID passthrough

When possible, Windows passes the user’s domain login ID to Login Assistant so users do not have to re-enter it. This occurs when:

Users press Ctrl+Alt+Del → Change a Password

  • Users press Ctrl+Alt+Del then click Change a Password .

  • The workstation is locked and users enter an incorrect password

  • Users attempt to unlock an account that is locked

  • Users enter their (soon-to-expire or expired) password to log in

    Note

    The soon-to-expire, expired, account-locked and password-change cases are not supported by the Credential Provider.

Since Login Assistant is most often used for forgotten passwords, a secure and easy-to-use second authentication method should be configured for Login Assistant users that does not include password authentication. One example is requiring users to answer their security questions, followed by QR code verification using the mobile Bravura One app.

The figure below illustrates the workflow when the Login Assistant with Credential provider is deployed.

Figure 1. Login Assistant workflow
Login Assistant workflow


User experience

When using the Login Assistant on a corporate network:

  1. The user opens their workstation to the user login screen.

  2. The user triggers the Login Assistant by clicking a "forgotten password" tile or link on the user login screen.

  3. Login assistant opens a restricted browser session with the appropriate Bravura Pass application URL.

  4. The user authenticates to Bravura Pass using the configured multi-factor authentication.

  5. The user clicks Change Passwords on the Bravura Pass home page and successfully changes their password.

  6. Bravura Pass synchronizes the new password with the corporate domain and any other accounts attached to the user’s Bravura Pass profile.

  7. The user closes the web browser and is returned to the user login screen.

  8. The user logs in to their workstation using the new password.

  9. The workstation validates the new password against the domain and updates the locally cached credential (if the Local Reset Extension is installed).

Local password cache behavior

When the local reset extension is not installed, a user must manually log out of Windows and then log back in to reset their locally cached password after using the SKA to change their password within Windows by pressing Ctrl+Alt+Delete and then clicking Change password.

If a user uses the SKA to change their password and the local reset extension is installed, they are not required to log out of Windows and then log back in.

Login Assistant best practices

  • Deploy Login Assistant to all workstations to provide consistent access to self-service resets.

  • For remote workforces that rely on cached credentials, integrate Login Assistant with the corporate VPN and deploy the Local Reset Extension.

    This process is further described in Self Service Anywhere: Login Assistant for remote users.

  • Configure a secure second factor that does not rely on password authentication (e.g., security questions + QR code via the mobile Bravura One app).

  • Maintain strict lockdown policies for SKA accounts to minimize the attack surface.

In this section: