Secure Password Transmission With tenfold
When you create aย new user accountย inย Active Directory,ย SAPย or any other system, you have to set anย initial passwordย for the account. If youโre usingย tenfoldย to cover this process, the software generates aย random passwordย that complies with theย password policiesย of the system you are creating the account for. The user then has toย changeย the generated password the first time he or she logs on.
This is a very common procedure that has to be completed each time you create a new user. But how is the initial password communicated to the user? Thatโs something you need to think about. There are a number of methods to pass on credentials to users and weโre going to explore what they are.
Method 1 โ Email
Yikes. Sending someone their user name and password within the same email is really the worst possible choice you could make. This method bears many risks:
Sniffing.ย This is when emails (containing credentials, for instance) are illegally intercepted using a sniffer application.
Hacking. A classic, easy way for attackers (who know what theyโre doing) to obtain passwords and get immediate access to sensitive data.
Accidental forwarding of emails. Yep, it happens, and if it does, passwords may fall into the wrong hands.
Method 2 โTwoย Emails
The method of splitting credential information in two, i.e. one email containing the user name and one containing the password, is hardly better than Method 1. The only difference is that it wonโt have quite the same dramatic effect if you accidentally forward one of the emails. The other risks โ sniffing, hacking โ remain the same.
Transmitting Passwords via One-Time Secrets
tenfold uses a mechanism called One-Time Secrets (OTS) for generating and transmitting initial passwords. Here, too, the user receives an email.
The difference is that the password is not shown in plain text in this email. Instead, the message contains a unique link that leads to a secure website.
The recipient must authenticate himself to tenfold via the link. The authentication is done using either single sign-on (SSO) via Kerberos or multi-factor authentication (MFA). The linked page opens only if the authentication was successful and the user is identified as the legitimate recipient of the password.
tenfold displays the initial password one time in plain text. The user can either use the password to log on or choose to pass it on in a secure manner. As soon as the link has been used once it becomes invalid and cannot be reused. If the link is not used within 7 days, it expires automatically and the password can no longer be retrieved.
Secure Password Transmission With tenfold
The one-time secret mechanism employed by tenfold protects against both accidental and deliberate misuse of initial login credentials:
Attackers canย sniffย all they want, butย intercepting network trafficย will be ofย no useย to them as passwords are never shown inย plain text.
Only theย actual recipientย can read the password.ย Accidental forwardingย of emails orย misuseย areย ruled out.
The recipient is authenticated using aย secure methodย (Kerberos and/or MFA).
Old, unused initial passwordsย cannot be extractedย orย misused.
OTS is currently supported in the Active Directory User Lifecycle and SAP ERP plugins.
Watch Our Demo Video to See tenfold in Action!