myPassword^® now makes available an optional GINA.DLL that modifies the users Windows logon screen on 32bit and 64bit Windows XP. There is also a GINA-less Windows Logon message capability that can add a configurable message to the Windows Logon screen.(i.e. Reminding users to use the Restricted Access Account!)

myPassword^® can be licensed and used without rDirectory, however when combined with rDirectory the natural synergy of these two products form an even more powerful password management solution. Combining rDirectory with myPassword^® solves two of the most common problems in self-service password management:

1. Getting users to fill out their Password Reset Profile
   If users don't fill out the questions and answers in their Password Reset Profile, then when they forget their password or get locked out, they will just call the help desk like normal and you save nothing. With rDirectory you can force users to fill out their Password Reset Profile (or any other attribute) when they first access any rDirectory application.
2. Securing the issuance of new passwords by the help desk
   Even with a self-service password management solution like myPassword^®, you will need a help desk solution as well as a backup. Most help desk staff have no way of assuring that the person requesting a new password is indeed that person, creating a huge security hole. With rDirectory, the help desk staff can use the same Password Reset Profile to assure the callers identity, and audit logs and email notifications record the help desk operator and the account reset for regulatory compliance.

myPassword^® integrates several means of deterring, detecting, and blocking access to hackers who may attempt to use myPassword^® to gain access to an account. Access to myPassword^® can be restricted, and excessive failures of either answering questions or authenticating (used in Profile Edit, Password Change, or Vouching) can trigger a hacker detection event. Questions are also presented one at a time for additional security. A hacker detection event can block the hackers IP, or the account attacked, and/or send email alerts to immediately notify security personnel of a potential attack.

Not all users are the same, and with myPassword^® you can setup rules so different profile policies, which determine the questions and requirements for creating a Password Reset Profile, are applied to different users. This allows you to require more stringent Password Reset Profiles for those more sensitive accounts, and allow simpler Password Reset Profiles for those with limited access.

Vouching is an optional feature that can allow someone who has not filled in their Password Reset Profile, or has forgotten their answers, to get another authorized user to vouch for them so they can reset their account. With myPassword^® you can setup rules where different users may be allowed different vouchers, and receive different messages to indicate who can vouch for them. Since rules can leverage customizable Relationship-Based Roles, a voucher can also be based on relationships defined in the directory, such as Manager or another custom relationship that you create.

For users who have forgotten their password or have been locked out, myPassword^® provides for the Restricted Access Account method of accessing myPassword^®. The Restricted Access Account method is a new best practice recommended by Microsoft, and has significant advantages over the older GINA.DLL method used by many products. With a Restricted Access Account, users can logon with this well known account, yet be securely limited to only access the myPassword^® site. The key advantage of this method, is that it is centrally managed and does not require replacing the GINA.DLL on all machines. Not only is this a snap to deploy, it is simpler for roving and mobile users, and precludes the GINA.DLL conflicts that can occur with other authorization extensions such as biometrics or network drivers.

Client-Side Encryption, which is enabled by default, is available in both myPassword^® and rDirectory to preclude sensitive information, such as passwords and answers in Password Reset Profiles, from being sent across the wire in clear text. Using Client-Side Encryption precludes the need to setup SSL encryption, which can be expensive, complex, and slow overall performance.

Client-Side Encryption uses the same public-private key RSA encryption as SSL, however it uses a smaller 256 bit key rather than a stronger SSL key, and only encrypts sensitive fields rather than the whole page. If SSL is used, Client-Side Encryption can be disabled.

An optional Password Generator can be used for all new passwords. The password generation features uses a customizable dictionary of words that will be appended with numbers, and additional words and numbers as necessary, until the minimum password length is obtained. When used with the 'Force Password Change on next Logon' feature, the generated password becomes a one-time-use password that can be as complex as you desire.

An inactivity timer provides additional security to myPassword^®. When used in a kiosk mode, the inactivity timer will assure that myPassword^® is returned to the opening screen, ready for the next user, when left unattended. When used with the Restricted Access Account, the inactivity timer will logout the Restricted Access Account and return to the normal windows logon when the PC is left unattended.

myPassword^® records the 'who, what, when, and where' of all changes made in the servers event logs, and also can optionally send email notifications to the account changed, or their manager for additional security. A special email notification occurs when a potential hacker is detected.

End-users can use Internet Explorer, Safari, or FireFox to access myPassword^® to reset their accounts, create Password Reset Profiles, or change their passwords.