Self-service Password Reset & Recovery

by Tom Hoey 0 Comments

Self-service password reset is the process a user initiates to prove their identity with the end goal of resetting their password. Self-service password recovery is similar, but the end goal is to recovery the user’s password without resetting it. The user would use the exact same challenge questions for both password reset and recovery. Users are not able to use the same answer for multiple questions; there is a required minimum length for each answer and a larger subset of questions (e.g. 3 out of 6) to be answered.


To authenticate the user during an online self-service action, PortalGuard leverages challenge questions and answers and/or two-factor authentication. Challenge answers are cryptographically hashed and stored on a central server to support roaming users and prevent the need to re-enroll on multiple machines. Encrypted hard drive support perform a password recovery thru PortalGuard on an alternate or mobile device (e.g. Symantec Endpoint Encryption).


PortalGuard also supports users who are offline or disconnected from the network, allowing them to perform a password recovery, but not a reset. In this case, the password is divided into mathematically-represented “shares” with each share being AES-256 encrypted by a separate challenge answer. All shares are then bulk encrypted with AES-256 using a separate key and stored locally on the user’s machine. When the user attempts to recover their pass-word, they will be asked to prove their identity by correctly answering a certain number of challenge questions. Once decrypted, the user is shown the password in clear text allowing them to continue working. For security purposes, if a disconnected user strikes out while attempting to authenticate, the encrypted recovery information is deleted from the local machine, so the user will be forced to reconnect to the network to perform the recovery.


By providing the exact same interface for both Windows Desktop and Web-based self-service, the user’s learning curve is minimized and overall user adoption is increased. These actions can also be performed from mobile devices such as iPads and smartphones. PortalGuard integrates seamlessly with Microsoft Active Directory, Novell eDirectory, any LDAP-compliant directories and custom SQL user repositories.

Tags: PortalGuard, Self-Service Password Recovery, Self-Service Password Reset, Two-Factor Authentication

Tom Hoey

Author: Tom Hoey