Skip to main content

About web-based credential management

Password synchronization

Bravura Pass helps users to maintain a single password, subject to a single security policy, and change on a single schedule, across multiple systems.

End users can synchronize some or all of their passwords by using the Bravura Pass web interface to make routine password changes. Administrative users, known as help desk users, can use the web interface to synchronize passwords for callers.

The configured password policy for the relevant systems is clearly displayed to users and enforced immediately. This ensures that the password is accepted by the native password security mechanism on all target systems. Bravura Pass validates the password against the global password policy. If the password is accepted, Bravura Pass synchronizes the passwords on the select systems.

Password change and synchronization with a web browser is more informative and educational than transparent password synchronization but requires users to change their behavior. A user awareness program is often required to encourage use of this feature.

Password synchronization benefits

Bravura Pass Password synchronization is an effective way to minimize password management problems:

  • Users with synchronized passwords tend to remember their passwords.

  • Simpler password management means that users make significantly fewer password-related calls to the help desk.

  • Users with just one or two passwords are much less likely to write them down.

Self-service password changes

Users can change or reset passwords through the web interface using one of the supported authentication methods:

  • Existing password

  • Security questions

  • Hardware token

  • Smart card

  • Mobile app or OTP

  • SMS or email PIN

Self-service password changes support:

  • Routine password updates

  • Password expiry responses

  • Forgotten passwords

  • Intruder lockout recovery

The system can optionally create help desk tickets to document the event.

Click below to view a demonstration where the user has completed their first login using personal identifiable information (PII). They will now set their password using the Change passwords (PSS) module so they can log in next time with it.

Assisted password changes

Help desk analysts can use the Help Users (IDA) module to reset user passwords using the following process:

  1. Analyst signs in with their Bravura Pass help desk account.

  2. Analyst locates the user profile.

  3. Caller authentication is completed using security questions or other configured verification.

  4. Analyst performs password reset or unlock operations.

Analysts do not require administrative rights on the target systems; all actions are performed through Bravura Pass connectors.

Click below to view a demonstration:

Self-service and assisted account unlock

Users or help desk staff can unlock accounts locked due to failed login attempts via the Self-service unlock (PSK) module:

  1. Users authenticate with a password or an alternate factor.

  2. Once authenticated, they can unlock their account.

  3. Events can optionally trigger the creation of a help desk ticket.

Users who have locked their accounts due to too many failed login attempts can use the Bravura Pass web interface to unlock them. Help desk users can also use the web interface to unlock user accounts.

Click below to view a demonstration:

To implement the self-service and assisted unlock feature, you must turn on the PSK ENABLED setting under Manage the system > Modules > Self-service unlock (PSK) .

Note

Bravura Pass does not allow users to reactivate accounts that were disabled by an administrator.

Although the term "unlock" can sometimes be used interchangeably with "enable", in some systems (such as Active Directory), a locked account is not necessarily a disabled account. A password reset for a disabled account by default does not re-enable the account. The password can be changed, but it is not re-enabled by default. Typically, an account is disabled for a reason (e.g., a termination request).

To re-enable the account, someone with authorization can submit a workflow request that includes an enable operation. This can be achieved with a Bravura Identity license.

You can automatically enable accounts on Active Directory after password changes by enabling WINNT RESET ENABLE ACCT under Manage the system > Maintenance > Connector behavior . This is a global configuration that can be set to allow this. This settings is an "all or none" setting that affects all password resets on Active Directory/WinNT targets.

See also

In this section: