When you create a new user account in Active Directory, SAP or any other system, you have to set an initial password for the account. If you’re using tenfold to cover this process, the software generates a random password that complies with the password policies of the system you are creating the account for. The user then has to change the generated password the first time he or she logs on.
This is a very common procedure that has to be completed each time you create a new user. But how is the initial password communicated to the user? That’s something you need to think about. There are a number of methods to pass on credentials to users and we’re going to explore what they are.
Method 1 – Email
Yikes. Sending someone their user name and password within the same email is really the worst possible choice you could make. This method bears many risks:
Method 2 –Two Emails
The method of splitting credential information in two, i.e. one email containing the user name and one containing the password, is hardly better than Method 1. The only difference is that it won’t have quite the same dramatic effect if you accidentally forward one of the emails. The other risks – sniffing, hacking – remain the same.
Method 3 – Multiple Communication Devices
A more secure method is to send the logon data using several modes of communication, for instance an email containing the user name and an SMS for the password. However, this method is sometimes difficult to implement since not everyone has access to the same technologies. What if someone doesn’t have a cell phone or other means of communication besides email?
tenfold uses a mechanism called One-Time Secrets (OTS) for generating and transmitting initial passwords. Here, too, the user receives an email.
The recipient must authenticate himself to tenfold via the link. The authentication is done using either single sign-on (SSO) via Kerberos or multi-factor authentication (MFA). The linked page opens only if the authentication was successful and the user is identified as the legitimate recipient of the password.
tenfold displays the initial password one time in plain text. The user can either use the password to log on or choose to pass it on in a secure manner. As soon as the link has been used once it becomes invalid and cannot be reused. If the link is not used within 7 days, it expires automatically and the password can no longer be retrieved.
Secure Password Transmission With tenfold
The one-time secret mechanism employed by tenfold protects against both accidental and deliberate misuse of initial login credentials:
OTS is currently supported in the Active Directory User Lifecycle and SAP ERP plugins.