Specops uReset Review

Product: Specops uReset

Product Homepage: click here

Free Trial: click here

Specops uReset

Introduction

Specops Software is a Swedish company founded in 2001 with headquarters in Stockholm and offices in the United States, Canada, and the UK. They develop unique password management and desktop management products based on Microsoft technology.

We have recently reviewed Specops Authentication for Office 365, a single solution that streamlines and secures Office 365 Active Directory integration and user login with dynamic multifactor authentication (MFA). This time, we will be reviewing another product from the same company, Specops uReset.

It is hard to believe, but in many organizations worldwide, IT helpdesks still spend a considerable amount of time resetting passwords for users or unlocking their accounts. Nowadays, this should not be the case. Companies should offload this to users and let them address such common password management-related tasks. With Specops uReset, admins can achieve this with a flexible authentication engine that ensures that users always have a secure way to reset their password, regardless of their location, device, or browser.

Besides flexibility, security is one of the main aspects of this solution. uReset enhances login security by extending MFA to self-service password management. It supports common authenticators, such as security questions, and mobile verification codes, in addition to numerous digital identity providers ranging from personal (for example, Facebook or LinkedIn) to companies (for example, Salesforce), as well as higher trust methods (for example, Specops Fingerprint Authentication app).

By providing users with multiple authentication options, organizations can guarantee that users will complete the password-reset task, even if a particular identity provider is unavailable. Since not all identity providers are equally secure, administrators can assign each identity provider with a trust value, based on their perceived level of security. This means that one identity provider can be worth twice as much as another during authentication. Users who choose high-trust providers will have fewer steps before they can reset their account.

How does it work?

Specops uReset natively integrates with Active Directory (AD) and its configuration is done using Group Policy, which most admins are already accustomed to. uReset consists of one or more (for resilience) Gatekeeper server that is installed on-premises, plus a web, identity and backend services that are all hosted in the cloud by Specops:

  • Authentication backend communicates with the Gatekeeper to read user information from AD and to validate a user’s identity based on the tokens from individual identity services. The web and identity services also communicate with the backend.
  • Authentication web contains the front-end for users and administrators. It enables admins to view system information and manage various aspects of the product including systemwide configurations, and MFA policies.
  • Identity services is an entity that can validate a user’s identity in uReset. The tokens from these identity services are then used by the backend to validate a user’s Identity.
  • The Gatekeeper is installed on a domain-joined server on-premises, so it can read user information from AD, and manage all operations against AD, such as reading/writing enrollment data.

Specops uReset

 

Although at first it might seem that an inbound connection needs to be open through the firewall to the Gatekeeper, this is not the case! All Specops connections are outbound only, which is great from a security perspective.

Requirements

To install the Gatekeeper, we need a server that meets the following requirements:

  • Windows Server 2012 R2 or later.
  • .NET Framework 4.7 or later.

Installing it is straightforward. All it involves is creating a customer account, downloading a customized setup package, and configuring the Gatekeeper in the organization’s AD environment as we will see next.

Self-service password reset/change

uReset leverages the same claims-based identity model of Specops Authentication for Office 365 in order to provide flexible MFA to strengthen password reset security while minimizing impact to users. By fully integrating with Specops Authentication, uReset makes use of Gatekeeper redundancy, as well as the same MFA platform. This means that, for organizations already using Specops Authentication for Office 365, their users might not even need to re-enroll or enroll in additional identity services, depending on the policies configured.

uReset can be configured to allow all cloud users to reset their passwords (when integrated with Specops Authentication for Office 365), or use GPOs to target which users can manage their own password:

Specops uReset

By clicking on Configure, under Policies, we can specify which identity services users can use to reset or change their password, as well as the weight of each one:

Specops uReset

Under Notifications, we can configure notifications to admins to inform them when users reset/change/unlock their password:

Specops uReset

From an end-user perspective, all they need to do to reset their password is navigate to https://login.specopssoft.com. From here, the user either clicks on Reset Password or Enroll if this is their first time using the service. Let’s see what happens when a user clicks on Reset Password without enrolling first:

Specops uReset

The user types their username:

Specops uReset

Authenticates using the identity services configured during their enrollment:

Specops uReset

And, as expected, receives an error stating they need to enroll:

Specops uReset

By clicking on Enroll instead, the user is taken to the following screen, where they need to click on Complete enrollment for uReset:

Specops uReset

As with Office 365, the enrollment process will vary depending on the identity services configured, as well as the policy. If both uReset and Office 365 policies closely match, then users might not even need to configure any additional identity services. But since we are here, let’s try the Specops Fingerprint app:

Specops uReset

After clicking on Specops Fingerprint, we are taken to the following webpage, similar to when we previously configured Specops Authenticator app:

Specops uReset

We need to go to the app store, and download the app:

Specops uReset

Once it has been installed, we open it and click on Scan QR Code:

Specops uReset

The app will ask if we want to allow it to use Touch/Face ID:

Specops uReset

And we are done:

Specops uReset

We have now successfully enrolled in uReset:

Specops uReset

This means we can use the service to reset our password:

Specops uReset

As we type our new password, we will automatically see if it meets the necessary complexity requirements. Each requirement contains one of the four colors:

  • Green indicates that the requirement has been met.
  • Red indicates that the requirement has not been met.
  • Grey indicates that the is an optional requirement.
  • Yellow indicates that the requirement is a server-side requirement and can only be verified once the password has been submitted.

Specops uReset

Once the password meets the necessary requirements, we click OK to reset it:

Specops uReset

Specops Password Reset app

Specops provides a mobile app, available in the Windows Store, Google Play, and App Store, that can be used as a secure alternative to reset passwords and unlock accounts when users are on the move.

Simply search for Specops in the relevant app store and install the Specops Password Reset app:

Specops uReset

When the app starts, we click the arrow to proceed:

Specops uReset

We type our username:

Specops uReset

And we are prompted to verify our identity using the providers chosen during enrollment:

Specops uReset

For example, if we chose Specops Authenticator, we are asked to type the code from that app. Once the code is validated, two of starts fill up, and that identity provider disappears from the list:

Specops uReset

If we chose Secret Questions next, we are asked to answer our personal secret question:

Specops uReset

Since we have now successfully validated our identity, we are taken to the screen where we can choose our new password. This is pretty much identical to the one we saw earlier on a desktop browser:

Specops uReset

Once the new password meets all the requirements, we click OK:

Specops uReset

If, for example, an organization has a minimum password age set and the user tries to reset the password within that limit, he/she will receive an error similar to the following:

Specops uReset

If not, and if the password meets all the requirements, it is reset successfully:

Specops uReset

Conclusion

Although Office 365 has a self-service password reset feature, not every organization is already in the cloud, plus it requires an Azure AD Premium P1 or P2 license for hybrid environments.

Specops uReset removes these limitations and makes self-service password reset available to any organization, independently if they are fully on-premises or already in the cloud. Additionally, it provides more than 15 identity providers to validate users’ identities in a secure way.

TechGenix.com Rating 4.7/5

Specops uReset

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top