okay good afternoon good morning everyone depending on where you are in the world um welcome to our it workflows tech talk on password reset uh if you're catching this on the recording on youtube thank you so much for joining us uh just a quick call out there we do have the servicenow community uh youtube channel which is a great resource so if you want to capture that qr code from your smartphone you will be subscribed to our youtube channel so you'll get updates about videos like this we're going to put out a how-to series around password reset as well that'll be on the how-to playlist on that channel so some some good valuable information there for you to consume my name is patrick i'm one of the architects here in the the it transformation practice so we're going to talk about today we're going to talk about uh the value behind automating password reset within your environment we're going to go through some deep dive slides around the capabilities uh then i'm going to show you a demo of a couple of the experiences around uh password reset as well as uh what the flows under the covers actually look like that to facilitate that work and then we'll save q a for the end that said if you wouldn't mind using the q a feature rather than the chat feature to ask me questions it helps me keep track of them so very much appreciated so why are we talking about this so according to gartner 20 to 30 of all its service desk volume are password reset requests so this is 20 of work that the service desk is doing that can be completely automated and the math is pretty simple right 2.8 calls to the service desk per user per per year a third of the calls are password reset related and an average service desk call costs about 30 dollars to process so for a thousand users your organization is likely spending twenty eight thousand dollars a year manually resetting passwords obviously those aren't one size fits all estimates but we know that it is a problem at servicenow we've been doing an exercise with many of our customers called called clustering analytics you may be familiar with it and what we do is we use servicenow's predictive intelligence to analyze your ticket volumes so we can recommend places where automation would be beneficial in your environment in the number one thing that comes up during all of these cluster analytics engagements is password reset so servicenow provides a native password reset application the benefits include being able to automate 20 of those tickets you're ensuring a consistent user experience and what that means is your customers already know to go to service now to request a piece of software even maybe request a server in your environment but password reset tends to be somewhat fragmented maybe you're using uh google google's directory or azure active directory there's a series of different portals and experiences that users typically have to jump through to reset their passwords so we can put um all of those experiences behind our platform because the password reset application is extensible and we're giving you a better governed consistent process around resetting password reasons resetting passwords in your organization so the key features uh it's self-service as well as service desk assistant so you can give your employees a completely self-service uh interface where they can go change and reset their passwords or they can still call call the service desk but we can provide a consistent secure way for them to reset their password with the service desk we support id verification methods security questions sms text captcha um as well as authentication tools like google authenticator um we can allow your users to enroll through the same service catalog that they're accustomed to today or we can automatically enroll them in password reset just by being you know part of a part of a group inside of servicenow or just part of your servicenow environment um and we provide a ton of usage and enrollment reporting and that's going to make it easier to demonstrate the value of your password reset solution back to your back to your leadership so let's go into a a couple of slides around um deep dive information on password reset so let's start with nomenclature um servicenow you know we love acronyms we got itom itam itsm uh so so let's let's let's go through some nomenclature first of all a credential store simply a system that houses credentials the most common credential store that we see invite in in typically in an enterprise environment is microsoft active directory and azure active directory that said servicenow um when it's not integrated with ldap or sso is a credential store in itself uh you know jira jenkins if they are not integrated with your active directory environment they have their own credential store capabilities a verification method this is the way that we verify our users identity so we can do that with a series of security questions you know mother's maiden name for example i'll show you that i'll show you that in our demo we also have more advanced types of verifications the one that i used as a servicenow customer was sms text verification using uh our notify and twilio capabilities um we also support google authenticator out of the box as well and then obviously we do have captcha verification we want to make sure that you know we don't have robots trying to request password resets in your environment so what is enrollment uh enrollment is registering a user and that user to the specific verification methods inside of password reset so they're gonna when they enroll they're gonna set up their security questions uh if you're using sms sms verification they're going to register their cell phone number and they're going to receive a confirmation text and can confirm that back to make sure that's set up properly um automatic enrollment uh can be done using the personal data verification type and this just verifies uh information based off of the user table um after they're automatically enrolled you can extend their verifications uh with things like security questions as well as sms text etc and the password reset process right this is the combination of a credential store and the verification methods and enrollment to define how users reset their passwords inside the servicenow environment inside of the password reset application so it's the holistic process of all of those for resetting a user's password in a specific environment potentially so we have we have two user experiences um this is actually a little bit of a grey area because there's there's even another user experience that we can provide we can provide a mobile experience as well but the two main user experiences are full self service uh basically you are brought to a password reset uh uh your web uh site on the servicenow platform where users can reset their passwords and then we also have service desk assistant which is a guided process that provides a secure governed interaction with the it service desk so how does password reset work the the um the process is pretty straightforward uh the first thing that they're going to do is enroll and we all know what enrollment means now whether that's uh with their their mobile for sms email two factor etc uh they're gonna request a password reset the user wants to log in and fails they can be brought they can go right to the uh request a password reset screen and then they're going to they're going to be prompted for their verification methods as soon as servicenow verifies that that user is authorized to uh reset their password they are going to be brought to a screen that allows them to type and confirm a new password that will be sent to their credential store and that will become their password going forward so the service desk assisted is a little bit of a different experience uh same same sort of enrollment right these are still going to enroll they're still going to need to have security questions or some set second factor of authentication but then they're going to call the the service desk and the service desk agent is actually going to do that verification and then a new password is going to be uh provided and the service desk you know agent will read that back to the user the user they can then log in and they will likely be prompted to reset their password again because obviously we don't want the service desk agent holding on to that password for security uh reasons let's quickly before we go into demo walk through a couple of core concepts behind password reset first off the credential star servicenow microsoft ad are provided out of the box for you um and when we say microsoft ad in our paris release we also natively support microsoft azure active directory now when we say password reset is extensible to reset any password um that means that you can bring your own credential store uh for example i had a customer who then specific application and that application actually used oracle authentication so as long as you are able to to do something within um you know oracle either providing a command line a rest api a powershell interface into the credential store mechanisms inside of uh of that application you can pretty much automate any sort of password reset uh using the framework that we provide to give that consistent user experience so our verification methods uh said this a couple times now we support sms google authenticator email qa verification as well as personal data verification as well and these are basically walking you through all the modules that you'll see um you'll see these verification methods um inside the password reset module security questions um you may want to employ multiple factors as well you may want to have an sms verification then you may want to have one two three security questions for the users as well so you can just be a hundred percent sure that you're resetting the the actual user's password who's requesting it the user who works in your in your organization so we provide you like a ton of verification questions out of the box you can also create your own verification questions as well in the password reset process we talked about this earlier this is what combines the credential store the verification method and the policies for password reset into a single process that allows for your users to request a password reset for a specific application in your environment go through a couple of enrollment reporting security governance features and then we'll do our our demo so users configure verification required for all password reset processes um so you need to have at least one factor of verification on there this looks like the enrollment is actually requiring two so you're going to see the sms screen so they're going to enroll their um sms provider as well as their cell phone number and they're going to get a pin number sent to them they're going to put that pin back into the servicenow instance and then we are verifying that that user owns that mobile device uh it looks like this process also requires qa verification so then the users are going to be brought to the qa verification screen and they're going to be uh you know set up they're going to get to choose three or four or however many uh security questions that uh is is called for within the process and they're going to fill those out servicenow is going to save them they will be prompted for them when they go ahead and reset their password um so we have a we have a lot of rich dashboarding around uh password reset so basically like how many people are using self service how many people are using service desk assisted are they changing passwords are they resetting passwords do we have users who are spamming the system with password resets maybe that's not um maybe maybe that's indicative of a problem right so we could dig in and we could troubleshoot uh that issue and do we have users that are banned from password reset for specific reasons something to call out here is password reset um out of the box will only allow a password change once per password reset password change once per day so if you want your users to be able to change passwords more frequently i'm not sure why you would but there is a system uh property that allows you to change the the time and minutes between password resets and password changes so screened before we were looking at how many users were enrolled this is just calling out the various um things that i i talked through in the previous slide so i talked about the locked out users you'll notice that users are locked out they can be unlocked again basically by just either deleting this this essentially a log record which probably isn't best practice or you can just change that blocked flag from true to false and that's going to allow those users to reset their password again so if your administrator password reset and maybe somebody reset their password they mistyped it twice they will get locked out of the system if you haven't changed that property and if you get a call just know to take a look in here and check to verify if the user is blocked and you'll see this is where we define the policies to expire the lockout you'll see whoever made these slides actually did what i did for a demo environment and we made that zero uh so we didn't run into issues while we demoed this to our customers and we also this is going to be an ask from your security team uh we have detailed logging um so every password reset it's attached to a request it's a retest or requested user and then there's detailed logs into what action they actually took two more slides here around a couple common asks from our customers usually the security team many organizations are already enforcing a password uh history uh within uh azure active directory or with an active directory so we have a way to um handle that within password reset i'm not gonna talk you through this very busy slide um i will send out a copy of this presentation after the the demonstration so you'll have this slide for reference this is also called out on docs.servicenow.com and lastly servicenow once again a busy slide this is all very publicly accessible information password reset is essentially an extension of our integration hub functionality and that said it has all of the same security baked into the platform and integration hub so the user is you know communicating with servicenow through tls um your mid server is behind your firewall your mid server is what typically is communicating with active directory or even azure active directory so none of that's actually even happening on the public internet it's happening behind your firewall and your mid server just communicates back with the servicenow instance over http ls tos so it's a highly secure method for resetting your passwords um nothing's really happening unencrypted over in the public internet if the user forgets the correct answer and security questions are they automatically rerouted to service desk so it's sort of a yes or no on that one wendy um they will be prompted that they are on it we are unable to complete the password reset there is a reset request associated with it so we don't have an out of the box flow that does this but you could simply put a flow in place that um look for the trigger the user failed verification and then automatically create a service desk ticket either for the service desk to reach out but likely the cert the the user if the password reset attempt does fail the user is going to be prompted to contact the service desk anyway so um there's a couple ways to handle that yeah tom a mobile device can be used to request the password reset you can just create a create a mobile page within the mobile app for doing this or expose it as a catalog item so we can see our password reset request counts our password reset request counts uh per user right and then uh password enrollment verification so here are my inactive users i have 156 users that aren't enrolled in password reset and i have three so this may you know give us our service desk our password reset administrator a prompt that they need to get more people to enroll in the solution and then we break out requests so is it is it a is it a password reset is it a password change or is a reset password and then what processes are customers using um if you had multiple applications in here with some applications that aren't ad connected we would show those as well so the first thing we'll do is we'll go ahead and do a change password actually you know what we'll do a reset password for for alexander hamilton because that way i don't have to impersonate him and we'll do his change password next so the user is asked to provide their username i do have captcha disabled here if you had caption on they would they would be asked to verify that they are not indeed a robot so you'll see now i'm prompted for my verification questions um my only verification method uh for this password reset process is qa verification so graduated high school 2005. probably not exactly correct for alexander hamilton but who knows uh password or child or excuse me uh phone number 555-555-5555 and what street did you live on in third grade i'm just going to say street and if i did that all correctly we should be prompted to reset the password so you'll notice that we have a we have security requirements this can be customized and you'd want this to match whatever security requirements you have within your your active directory environment or if there's any requirements on those credential stores that you've extended the application into no i mistyped something and hopefully it doesn't take a few minutes okay so the password has been reset successfully um and wendy going back to your question it would be this screen if the verification questions were wrong before it even let the users reset their password a big red x would come up here and they would be told to um contact the service desk and it would also be there would also be indication of that within the logs let me go back a couple screens show you a couple things here before i do a password change so you'll now notice that there's a reset request so that one just came in prq 1032. this is actually the request that got put in when we reset that password and you can see the logs here everything that it did right we validated the user we started the password reset master flow and then we completed the flow and reset the user's password and we know exactly what process was used so if we look at the process so basically this is you know when we talk about the password reset process back in that nomenclature uh that is the combination of the credential store as well as the verification methods that make up a user resetting the password within your environment as well as the enrollment activities so can this be used for password reset or password change um this is where you activate it just note this trip me up a couple of times they do not activate uh by virtue of updating this record and there we don't give you a lot of notification that it isn't active so uh just just in case you do set this up on your own make sure this active box is checked otherwise it's gonna get very frustrating you're not gonna know why it's not working um do we apply this to all users or we can say i want to apply this to a subset of users we provide the identity verification type remember the identity verification type is data that's known within the servicenow system users table um you notice i have captcha turned off here this is a publicly accessible url the reason being that if a user uh doesn't have uh they can't log into servicenow with their their ldap password they're likely not going to be able to reset it so we do have to make this a publicly accessible url that said if you're doing this for something like an internal application that may not be connected to your active directory that url does not necessarily need to be publicly accessible as long as they can authenticate to the servicenow instance we can send like enrollment uh so as soon as you set up enrollment it will it will notify the users to be enrolled we can um we can also send a reminder as well so the users that aren't enrolled they will be sent a notification on a schedule and here's where i set up the verifications for the password reset process you'll notice if i edit i can add other verification methods do i send them an email um that's possible but they may not be able to get their email for a password reset google authenticator sms etc all right and the last thing that i want to show you is the credential store and i'm going to show you my azure ad credential store um so you'll notice that basically these are just flows inside of flow designer so here's my password change flow and here's my password reset flow and what's happening is the password master is calling these these flows to do the various password changes for the various credential types so then what this is now you can begin to see why this is easily extensible you could create a new credential store called my application one and basically just create a basic flow inside of integration hub and flow designer to reset that password within that application and if we open up the flow so you can see the subflow gets inputs and outputs um from the password reset request record um its outputs are going to be if there are any sort of error message or status messages um from the various steps and it's basically some simple if else logic so what you could do here if you wanted to extend this application is you could literally make a copy of this subflow and call it password reset dash my application and you would really only need to change out a couple of steps here um this is specific to azure id so i do look up the user id first um it provides a user id um a guide basically and then i basically reset the user's password um in these two steps right here um if the password is changed successfully then assign the status of success and we will display that back to the user if there are any sort of error messages we capture those and we will display those back to the user as well so you can see integration of flow designer it's pretty easy if then else logic and you can build and extend the application basically in integration hub and flow designer that said um some of our spokes do so we have different we have different actions here and there are some spokes that for various enterprise applications um that allow you to to reset passwords as part of them so some of these out of the box folks may be a good jumping off point if you have those applications within your environment last thing i'll show you is just a user requesting a password change so rather than alex going to a public facing page to uh reset their password let's pretend they're already in service now uh they're working away and they may be getting a notification on slack or microsoft teams that their password is going to expire they can simply just go into the change password password reset provide their old password and this is how you facilitate a password change you'll notice that for a password change um we just allow the user to provide their old password as verification um it's also important to note that they are already verified because they're already authenticated to the servicenow application so uh that concludes the the slides in the demo portion of today's presentation if you have any questions about the content discussed in this webinar please feel free to reach out to your servicenow account team thank you so much have a great day