Display CAPTCHA
Use this activity to display a CAPTCHA image on the Self-Service site and require users to enter the displayed characters before beginning a workflow. This feature provides enhanced protection against automated attacks.
This activity has the following settings:
• Number of characters Specify the number of characters that will be displayed on a CAPTCHA image.
• Noise level Select the noise level for a CAPTCHA image. The higher the level the more difficult it will be to read the characters.
Display reCAPTCHA
Use this activity to display a reCAPTCHA image on the Self-Service site and require users to enter the displayed characters before beginning a workflow. This feature provides enhanced protection against automated attacks.
reCAPTCHA is a free CAPTCHA service provided by Google.
To start using reCAPTCHA you need to sign up and get reCAPTCHA keys on the following Web site:
http://www.google.com/recaptcha.
When getting the keys, provide the DNS name of the domain where Password Manager Self-Service sites are installed. If the Self-Service sites are installed in different domains, select the Enable this key on all domains check box to create a global key.
To learn more about using and configuring reCAPTCHA, go to http://www.google.com/recaptcha/learnmore.
This activity has the following settings:
• Public key Specify the public key you received when configuring reCAPTCHA.
• Private key Specify the private key you received when configuring reCAPTCHA.
• Theme Select a color theme for the reCAPTCHA widget.
Authenticate with Password
Use this activity to authenticate users by their passwords when running a workflow.
This activity has the following settings:
• Authenticate users with expired passwords Select this check box to grant access to the Self-Service site to users who are required to change their passwords at next logon. If you clear this check box, users will be denied any access to Password Manager functionality when their passwords are expired or should be changed at next logon.
• Authenticate users with disabled accounts If you select this check box, Password Manager will allow users whose accounts are disabled to unlock and re-enable their accounts, reset and manage passwords by using their Q&A profiles.
Authenticate with Q&A Profile (Random Questions)
Use this activity to authenticate a user with the personal Questions and Answers profile. In this activity you can specify how many questions from the Questions and Answers profile the user must answer to be authenticated. But you cannot select specific questions from user’s Q&A profile. To require users to answer specific questions from their Q&A profiles, use the Authenticate with Q&A profile (specific questions) activity.
You can configure this activity to display all questions on a single page or only one or the specified number of questions at a time, so that users will not be able to see next questions before they answer the current ones. To display all questions on a single page, use this activity one time in a workflow. To display questions consecutively on several pages, use this activity several times in a workflow (place several Authenticate with Q&A profile (random questions) activities in a row).
This activity has the following settings:
• All questions from user’s Q&A profile Select this option to have users answer all questions from their Q&A profiles during authentication.
• This number of randomly selected questions Select this option to set the number of questions required to authenticate users. You can specify what types of secret questions (mandatory, optional or user-defined) should be used to authenticate the user by selecting corresponding check boxes.
• Do the following if the number of questions in user’s Q&A profile is less than specified Using this option you can either allow or prohibit authentication for users if their Q&A profiles do not have enough secret questions. If you allow authentication, then all questions from the Q&A profile will be used to authenticate a user. If you decide to prohibit authentication, the workflow in which this activity is used will not be performed. The user will have to update his Q&A profile first, after that he will be able to perform the task that contains this authentication activity.
• Allow users to see what questions were answered incorrectly Select this check box to allow users to see to what questions they have provided incorrect answers during
authentication.
Authenticate with Q&A Profile (Specific Questions)
Use this activity to authenticate a user with the personal Questions and Answers profile. In this activity you can select specific questions from user’s Q&A profile that the user must answer to be authenticated.
You can configure this activity to display all questions on a single page or only one or specified number of questions at a time, so that users will not be able to see next questions before they answer the current ones. To display all questions on a single page, use this activity one time in a workflow and select the required questions. To display questions consecutively on several pages, use this activity several times in a workflow (place several Authenticate with Q&A profile (specific questions) activities in a row).
This activity has the following settings:
• Mandatory questions Specify mandatory questions from users’ Q&A profiles that users will answer during authentication.
• Optional questions Specify optional questions from users’ Q&A profiles that users will answer during authentication.
• User-defined questions Specify user-defined questions from users’ Q&A profiles that users will answer during authentication.
• Allow users to see what questions were answered incorrectly Select this check box to allow users to see to what questions they have provided incorrect answers during
authentication.
Authenticate with Defender
You can use this activity to configure Password Manager to use Quest Defender to authenticate users.
Quest Defender is a two-factor authentication solution that authenticates users without forcing them to remember another new password. Defender uses one-time passwords (OTP) generated by special hardware or software tokens. Even if an attacker captures the password, there will be no security violation, since the password is valid only for one-time-use and can never be re-used.
You can use the Defender authentication to authenticate users before allowing them to reset or change their passwords, to unlock accounts, or manage Questions and Answers profiles.
Before configuring the settings in this activity, install and configure Defender as described in the Defender documentation.
This activity has the following settings:
• Defender Server (IP address or DNS name) Specify Defender Server IP address or DNS name.
• Port number Type the port number that the Defender Access Node uses to establish a connection with the Defender Server.
• Server timeout Specify Defender Server time-out (in minutes).
• Defender shared secret Provide the secret that the Defender Access Node will share when it attempts to establish a connection with the Defender Server.
Authenticate via Phone
Use this activity to include phone-based authentication in a self-service workflow. If your license includes phone-based authentication service, you will be able to configure and use this activity.
If your Password Manager license does not include phone-based authentication service and you want to use this service, please contact Quest Support to obtain the necessary license at
www.quest.com/support.
Note, if the questions you selected in this activity cannot be found in user’s Q&A profile, the user will not be authenticated and the workflow containing this activity will not be performed for this user. The user will have to update his Q&A profile to answer the required secret questions.
To make Password Manager use the Defender authentication, you must install the Defender Client SDK on the server on which Password Manager Service is installed.
Before enabling phone-based authentication, make sure that users’ phone numbers stored in Active Directory are in a correct format. The phone number must meet the following requirements: it should start with either 00 or + followed by a country code and subscriber’s number. For example, +1 555-789-1314 or 00 1 5554567890.
You can use parentheses for an area code, spaces and hyphens in a telephone number.
This activity has the following settings:
• Authentication method You can specify whether you want users to receive a call or an SMS with a one-time PIN code by selecting the corresponding option. You can also allow users to choose the authentication method on the Self-Service site by selecting the Allow users to choose between an automated voice call and SMS option.
• SMS template Enter the text message that will contain a one-time PIN code and will be sent to users during phone authentication.
• telephoneNumber, homePhone, mobile and custom attributes Select one or several attributes of a user account from which telephone numbers will be used during phone-based authentication. You can also specify custom attributes.
You can test the configured settings by clicking the Test settings button and entering the phone number to which a one-time PIN code will be sent.
Authenticate with Passcode
Use this activity to allow users to use passcode for creating or updating Questions and Answers profile.
Passcodes are assigned by helpdesk operators to users who have forgotten their passwords and at the same are not registered with Password Manager or have forgotten their answers to secret questions.
You do not need to configure any settings for this activity.
Use this authentication activity in the I Have a Passcode workflow only.
For more information on configuring settings for assigning passcodes, see “Assign Passcode” on page 88.