Static password randomization

Password randomization is only possible in a Microsoft domain environment.

If password randomization is enabled, OneSpan Authentication Server Appliance replaces the static Windows password with a randomly generated password for each logon, while adhering to strict formatting rules. Password randomization occurs transparently for the user, who only needs to enter the user ID and an OTP for authentication. The password is generated in the background.

Since the password is randomized for each authentication procedure, users are prevented from logging on to client workstations that do not have Digipass Authentication for Windows Logon installed.

After a successful authentication towards OneSpan Authentication Server Appliance, password randomization replaces the static password used to authenticate the Windows client to the Windows domain with a randomly-generated static password. This randomly-generated password is no longer known to the user, thereby forcing the user to use OTP authentication.

The randomly-generated password remains constant in the OneSpan Authentication Server Appliance user account record, and a corresponding attribute is added to trace randomization status.

Configuring password randomization requires the following:

• LDAP or Windows back-end authentication towards Active Directory.
• Password randomization is enabled in the effective policy.

If password randomization is enabled in OneSpan Authentication Server, the effective policy used by OneSpan Authentication Server must not apply password proxying for the changeBackendPassword SOAP command. Otherwise, this will lead to a user with a randomized password being able to change the password.

For more information about password randomization, see Static password management.