12 Recover a forgotten password. Sophos SafeGuard Easy

SafeGuard Easy

24

12 Recover a forgotten password

If the user has forgotten their password, there are two ways to recover it:

■ The user may recover it using Local Self Help. This is the recommended method.

■ The helpdesk may recover it using a Challenge/Response procedure.

12.1 Recover a forgotten password using Local Self Help

1. On the endpoint in the SafeGuard Power-on Authentication, the user enters their user name.

The Recovery button becomes active.

2. The user clicks Recovery.

■ If only Local Self Help is activated for logon recovery on the endpoint, it is then started automatically.

■ If both Local Self Help and Challenge/Response are displayed for logon recovery, the user clicks Local Self Help.

3. In the following five dialogs, the user answers a defined number of questions randomly selected from the questions stored on the endpoint. After answering the last one, the user confirms the answers with OK.

4. In the next dialog, the user can view the password by pressing ENTER or SPACEBAR, or by clicking the blue display box.

The password is displayed for 5 seconds at the maximum. Afterwards, the startup process continues automatically. The user can hide the password immediately by pressing ENTER, or SPACEBAR, or by clicking the blue display box again.

5. After reading the password, the user clicks OK.

The user is logged on at the SafeGuard Power-on Authentication and to Windows and can use the password for future logon.

12.2 Recover a forgotten password using

Challenge/Response

Prerequisites:

The key recovery file created for each endpoint during installation of the Sophos SafeGuard encryption software must be accessible to the helpdesk and the name of the file must be known.

Challenge/Response must be enabled using a policy for the endpoint.

Note:

startup guide

We recommend that you primarily use Local Self Help to recover a forgotten password. Local

Self Help allows the user to have the current password displayed and to continue using it. This avoids the need to reset the password or to involve the helpdesk.

1. On the endpoint in the SafeGuard Power-on Authentication, the user enters their user name.

The Recovery button becomes active.

2. The user clicks Recovery.

■ If only Challenge/Response is activated for logon recovery, it is then started automatically.

■ If both Challenge/Response and Local Self Help are displayed for logon recovery, the user clicks Challenge/Response.

A dialog is displayed indicating the name of the key recovery file required.

3. The user clicks Next. A random challenge code is displayed.

4. The user contacts the helpdesk and provides the name of the required key recovery file as well as the challenge code to the helpdesk.

5. In SafeGuard Policy Editor, the helpdesk launches the Recovery Wizard.

6. The helpdesk selects recovery of type Sophos SafeGuard Client, confirms the key and the challenge code and selects the required recovery action Boot SGN Client without user logon.

A response code in the form of an ASCII character string is generated and displayed.

7. The helpdesk provides the user with the response code, for example by phone or text message.

8. On the endpoint in the Challenge/Response Wizard, the user clicks Next to enter the response code provided. The endpoint is enabled to start through SafeGuard Power-on Authentication.

9. In the Windows logon dialog, the user does not know the correct password and needs to change the password at Windows level. This requires further recovery actions outside the scope of Sophos SafeGuard, using standard Windows means. We recommend that you use the following methods to reset the password at Windows level:

■ Using a service or administrator account available on the endpoint with the required Windows rights.

■ Using a Windows password reset disk on the endpoint.

10. The user enters the new Windows password that the helpdesk has provided. The user then changes this password immediately to a value only known to them.

A new user certificate for use in Sophos SafeGuard will be created automatically based on the newly chosen Windows password. This enables the user to log on to the computer again and to log on at the SafeGuard Power-on Authentication with the new password.

The user can log on to the endpoint and log on at the SafeGuard Power-on Authentication again with the new password and can use the password for future logon.

25