Recovery

DigitalPersona AD provides full recovery options to administrators for enabling users to regain access to their Windows user accounts and computers.

In addition to the options described below, you can also use the HID DigitalPersona Administration Console to:

Recover a User

Installation of DigitalPersona AD or the DigitalPersona ADUC Snap-in adds the Recover User command to Active Directory’s context menu for a user in the Active Directory Users and Computers console.

This command enables recovery of the user's access to their Windows account by a one time access code available through a link on the Windows logon screen.

To recover a user:

DigitalPersona AD provides a means to easily recover access to a computer where a user is unable to access their account, and needs one-time access to the pre-boot environment and their Windows account.

Step User or DigitalPersona software Administrator

1.

The user contacts a helpdesk operator or DigitalPersona Administrator and provides their Windows user account name.

2.

The administrator locates the user in Active Directory, right-clicks the user and selects Recover User, which launches the Recover access wizard.

3.

The administrator transmits the displayed Recovery account name and password to the user.

This will enable them to authenticate at the pre-boot level. Upon use, this password is automatically changed.

4.

The user enters the provided information, gaining access to the computer at the pre-boot level.

5.

At the Windows logon screen, the user clicks their user tile.

On their user tile screen, they click the One time access link.

6.

The user transmits the displayed Security Key to the administrator.

7.

The administrator clicks Next, enters the Security Code and clicks Next again.

8.

DigitalPersona displays a One time access code which is transmitted to the user. It does not expire, but can only be used once.

9.

The user enters the One time access code and clicks OK, gaining access to their Windows account.

Recover a Locked Account

When a user exceeds the permissible number of authentication attempts (as defined in the Windows security policy) with a fingerprint credential, they are automatically locked out of their account. A locked out account cannot be used until it is reset by an administrator or until the account lockout duration has expired.

When an account is unlocked by an administrator, the account becomes immediately available for fingerprint authentication from all computers, or after the next replication interval if there are multiple domain controllers.

To unlock a Windows user account:

  1. Ensure that you have the required permissions to modify the user account.

  2. In Active Directory for Users and Computers, right-click on the user name and select Properties.

  3. Click the DigitalPersona tab.

  4. Clear the Account is locked out for fingerprint authentication option.

    This option is for unlocking accounts and cannot be used by an administrator to lock an account.

    If the account is unlocked, the option is disabled.

  5. Click OK to close the dialog box and save the changes.

The administrator can choose to set less strict lockout settings by reducing the lockout duration time or reducing the counter reset time through Windows security settings.

Recover an OTP Credential

What happens if user's OTP Token (software or hardware) is lost, broken or stolen? How will they be able to pass MFA (for example Password+OTP) in DigitalPersona applications?

For Windows logon, DigitalPersona has a couple of recovery options: User's One-Time Access Code and their Recovery Questions. Also they may have allowed credentials such as Password+ Fingerprint (if configured by the administrator). But for VPN logon, there is only one hardcoded policy - Password+OTP.Therefore, a procedure is necessary for regaining access to the VPN.

The following procedure can be used in place of a user’s One Time Password in any DigitalPersona application; anywhere the UI permits an OTP credential such as Windows Logon (Credential Provider), the Verify Your Identity dialog, the DigitalPersona Identity Provider and the DigitalPersona NPS Extension (VPN access).

User Recovery is a permission by default assigned to the domain administrator, but can be delegated to an individual or group (such as a Helpdesk) through the DigitalPersona ADUC plugin as described in Delegating User Recovery with a One-Time Access Code.

The generated OTP Recovery Password can be defined for one time use (which expires in 60 minutes) or with a definable time window (of 5, 15, 30 or 60 minutes) within which it can be used multiple times.

Prerequisites: This feature requires a connection to the DigitalPersona Server, so for instance it will not work for Windows Logon if the client workstation doesn’t have an active connection to the DigitalPersona Server.

Use Case Scenario for OTP Recovery

Step User Helpdesk or Administrator

1.

A user needs to log on to their corporate VPN where DigitalPersona software and the NPS Extension have been deployed, but their OTP token is broken or has been lost or stolen.

 

2.

The user contacts a helpdesk operator or DigitalPersona Administrator and provides their Windows user account name.

 

3.

The helpdesk operator or administrator locates the user in Active Directory, right-clicks the user and selects Recover OTP, which displays the OTP Recovery Password Configuration dialog.

4.

The helpdesk operator or administrator configures the OTP Recovery Password with the options defined above and then proceeds with one of the following actions:

5a.

Send SMS - If DigitalPersona SMS has been configured, the Send SMS button will be active and can be pressed to send the displayed OTP Recovery Password to the user.

The password will be saved to the DigitalPersona database and the user can then use it to login to DigitalPersona applications as described at the beginning of this section.

  • If sending the SMS message is successful, a message box displays indicating success.

  • If not, an Error Message will be displayed.

5b.

Send email - If DigitalPersona Email has been configured, the Send email button will be active and can be pressed to send the displayed OTP Recovery Password to the user by email.

The password will be saved to the DigitalPersona database and the user can then use it to login to DigitalPersona applications as described at the beginning of this section.

  • If sending the email is successful, a message box displays indicating success.

  • If not, an Error Message will be displayed.

  • If DigitalPersona Email has not been set up or when an error message is received, if there is an email client on the machine, the password can be copied to the clipboard, pasted into an email and sent to the user. However, see additional details in the next step.

5c.

Press Apply - While there is no need to press Apply when either the Send SMS or Send email buttons were pressed, if they were not pressed, the Apply button must be pressed in order to save the password to the DigitalPersona database so that it is available to the user.

Once the password has been applied (saved), it can be given to the user over the phone or through an installed email client.

6.

The user receives the OTP Recovery Password and uses it instead of an OTP credential for authentication.

7.

The user should be reminded to enroll a new OTP credential for future use.