Fischer's Kiosk feature is a utility feature that organizations can deploy for multiple use cases. It can be deployed as the primary on-boarding interface for users accessing the solution for the first time. It is also used as a password reset feature. There are multiple use cases where the Kiosk makes sense if it is deployed as the identity verification mechanism beyond just on-boarding. When a user forgets their username, organizations can direct users to the kiosk to verify their identity and reset their password. If the feature is used for initial on-boarding and for resetting forgotten passwords, end users will have a single location they will need to access to perform all deployed identity verification methods if the organization chooses to. This can eliminate confusion by providing multiple URLs for end users to save as a bookmark or remember when they are in a position where they need to reset their password. As mention previously there are multiple methods of resetting passwords, and we will discuss those later on.
The following functionality is supported by The Identity Kiosk:
Identity Verification | |
Organizations leveraging the kiosk for on boarding and/or resetting passwords are provided with the ability to verify Identities prior to allowing passwords to be set. The available options for verification are as follows:
|
|
Password Reset(s) | |
When employed, the Kiosk provides for end users to reset their password(s). Fischer's Password Enforcement Configuration is also extended to the Kiosk feature so organizations can enforce their global password rules across the entire organization. |
The screenshots below will breakdown the authentication flow and end user experience. Note that all available options have been turned on for the purposes of this guide. Including Multi-Factor Authentication via Fischer's native Authenticator that is available within the native product suite.
Once the user enters their Identity User ID, Fischer will locate the Identity within the registry to determine which authentication rules will govern Identity verification. Note that IGA Administrators have control and the ability to distinctly define which methods of identity verification are required for a particular user, or group of users. In this case, all available identity verification methods are exposed for the sake of documentation.
If the end user selects Identity verification via challenge response (i.e. secret questions), AND their security profile is incomplete, they will be presented with a one-time question. This question can be anything but it is best practices to leverage a one-time, randomly generated authorization code to be generated by Fischer, and stored (internally) against the Identity profile. Note this value can be used anytime the Identity's security profile is "incomplete". "Incomplete" means not all secret questions are answered. This typically will only occur in one or two scenarios.
(1) It is the first time the Identity is on boarding, and in this case their security profile would most certainly be incomplete.
(2) Help Desk has cleared the end user's security profile and instructed them to start over, at which point the authorization code would be needed again.
This guide will showcase the most secure, risk averse approach to leveraging the kiosk for on boarding, which includes identity verification. In this case, after the user is prompted to enter their one time authorization code, which was randomly generated by Fischer and provided only to the end user, Fischer's Native Authenticator App (available for iOS and Android) will send a PUSH message to the end user's device requesting further identity verification.
Viewing the Authorization Code
IGA Administrators can configure the Help Desk (administration) screen to show the authorization code in case the end user has forgotten. This is the case where the organization may want to keep the same auth code that was originally generated. There are other cases where organizations want a new authorization code generated and sent to the end user like it was the first time they were on boarding. This is also possible. There is not a product configuration option for this use case, however the scenario can be constructed using various product features.
At this point in the authentication flow, the end user will access their mobile device and verify their Identity. After identity verification, Fischer will then check the status of the security profile. The security profile consists of a completed set of secrete questions (i.e. answers have been provided to the required challenge response questions). If the security profile is incomplete, Fischer will alert the user as to the status of the security profile followed by a presentation of the security profile required to be completed before Fischer will allow the user to proceed to viewing account information associated with the Identity. Refer to Configuring Security Q&A for more details on all the different functional options available to your organization as you deploy the Identity Kiosk. It is highly configurable to meet your identity verification and on boarding needs.
Once the Identity completes the security profile (i.e providing answers to the listed questions), they will be directed to the following screen.
This screen will allow the end user to return to the secret question configuration (possibly to change an answer, or to change their custom question) or the most likely option is to continue by click Next with the "Reset my password" radio button selected. The next screen will appear.
*Many Different Views
For step #6, it is important to understand that there are many different views that may appear depending upon how the organization's Password Enforcement Rules are configured.