Self-service account recovery administrator's guide

hero.png

Nametag’s self-service account recovery solution enables employees to quickly and securely recover their Okta, Microsoft Entra, and Duo accounts without needing to involve helpdesk resources. This gives employees an easy portal through which they verify their identity and then can reset their own passwords or multi-factor authentication (MFA).

Connect a directory to Nametag

Each directory provider’s integration has a slightly different configuration. You can jump to your specific provider using these links:

There is one setting that applies to all directory providers, and that’s self-service permissions. These permissions determine which actions your users can take once they have verified their identity with Nametag.

Configure self-service permissions

self-service-permissions.png

Every directory integration has self-service permissions for the directory members. These permissions determine which actions they are allowed to take when visiting the company microsite.

Depending on the provider, administrators can allow none, one, or both of the following:

  • Reset a password
  • Reset multi-factor authentication devices

Resetting a password will generate a temporary password directly inside Nametag (or link you to a directory page where you can set a new password) which can be used to sign in. This applies to new accounts, where the person is setting their own first temporary password using Nametag, as well as existing accounts where the password has been lost or forgotten.

Resetting multi-factor authentication devices will remove all of the devices, tokens, apps, etc. that have been associated with that account. This includes things like phone numbers set up for SMS messaging, authenticator apps, physical keys, passkeys, and all other multi-factor authentication methods. The user will simply re-establish these devices when they sign into their account using only the primary sign-in method (usually a password).

Integrating with specific directories

integrations-page.png

Review all of your integrations at a glance to quickly see the total number of members in each directory and the sync status of the integration. You’ll also see the self-service recovery status, which indicates whether or not people are able to reset their own passwords and/or multi-factor authentication devices.

Connect to Microsoft Entra (formerly Azure Active Directory)

entra-settings.png

The first thing you’ll need to do is configure self-service permissions. If you need to review the specifics, click here to navigate back to that section.

Entra includes settings options for both password and multi-factor authentication devices.

Once you’ve made your selections, simply click the Connect to Microsoft Entra ID button to connect. You’ll be directed to the Entra sign in page, where you should enter your administrator credentials.

This will automatically connect your integration!

Connect to Okta

okta-settings.png

The first thing you’ll need to do is configure self-service permissions. If you need to review the specifics, click here to navigate back to that section.

Okta includes settings options for both password and multi-factor authentication devices.

You’ll also need to gather two pieces of information from Okta. We’ve provided links to their help content for instructions on how to collect this information from your Okta administrator account.

  1. Okta URL
  2. API token

Connect to Duo

duo-settings.png

The first thing you’ll need to do is configure self-service permissions. If you need to review the specifics, click here to navigate back to that section.

Duo only includes settings options for multi-factor authentication devices.

You’ll also need to gather three pieces of information from Duo. All three of these items can be created in Duo by following these instructions provided in Duo’s Admin API* documentation.

  1. Integration key
  2. Secret key
  3. API hostname

*Please note that the Duo Admin API is only available with certain Duo plans. According to Duo, this API is automatically available to paying Duo Premier, Duo Advantage, and Duo Essentials plan customers and new customers with an Advantage or Premier trial.

Connect to OneLogin

The first thing you’ll need to do is configure self-service permissions. If you need to review the specifics, click here to navigate back to that section.

You’ll also need to gather three pieces of information from OneLogin:

  1. Client ID
  2. Client Secret
  3. OneLogin Hostname

To gather this information:

  • Navigate to your OneLogin site, e.g. example.onelogin.com.

  • From the Developers menu, choose API Credentials.

  • Press New Credential

  • For Name enter “Nametag”. Choose Manage all and press Save.

    Note: Nametag requires Manage all permissions in order to manage passwords and MFA devices on your behalf.

  • Copy the Client ID and Client Secret into Nametag.

  • Enter the host name of your OneLogin site (e.g. example.onelogin.com) into Nametag.

onelogin-settings.png

Configure integration settings

Click Settings for any integration to edit self-service permissions, manually update the sync, or remove an active integration.

Updating the synchronization between Nametag and a directory

sync-status.png

The sync status tells you whether or not the integration is successfully connected. If the connection is severed, you’ll see the status update automatically to reflect that the integration is not working. Nametag synchronizes with your directory every hour. You can also manually synchronize Nametag with your directory at any time by clicking Sync now.

If the integration sync stops working, the list of accounts will not be up-to-date. Depending on why the sync fails, the self-service site may also stop working. For example, this will happen if the API key provided by your directory has expired.

If this happens, simply click Reconnect to try reconnecting. If you still continue to have trouble, reach out to help@nametag.co and we’ll get you pointed in the right direction.

Removing a directory integration

remove-integration.png

Removing an integration is a destructive action and should be done with caution. When an integration is removed, all of the members of that directory and their data will be deleted from Nametag. This means that the accounts table will likely be empty and you will lose all records of resets and account actions taken by users.

It will also stop all self-service resets and prevent any further changes. This means that people will not be able to reset their passwords or MFA devices automatically using Nametag. In order to get the self-service site running again, reconnect the directory integration.

Configure a self-service site

microsite-configuration.png

You’ll also need to set up your desired self-service recovery site. This is a simple website that’s hosted by Nametag at a domain that is customizable. On the site, people will be prompted to provide their work email address and scan a QR code.

Create a DNS record

We recommend setting a domain that is easy to remember and share with your team, because users will need to return there frequently (for example, whenever they get locked out).

You’ll need to create a DNS record/CNAME that points your desired domain name to nametaghosted.com.

Instructions for this process will vary depending on your hosting service. If you need help determining this information, contact help@nametag.co.

Using the self-service site

People will access this site by verifying their identity using a government-issued photo ID and a real-time selfie. Once they confirm their identity and Nametag has linked the verified identity to their account, they will be able to use this site to reset their own passwords and/or multi-factor authentication methods.

If you want to learn more about what this process looks like for your users, please see this article.

Monitoring updates to your directory made by Nametag

View directory users in Nametag

When you connect a directory, all of the members of that directory will be added to Nametag. These people will be added as accounts, which means that you will see each individual listed with their corresponding email address and the status of their Nametag identity.

accounts-table-hero.png

See the status of a Nametag identity

This is a key component of Nametag. Every account from your directory includes the Last verified time, which represents the status of that person’s Nametag identity. If someone has successfully completed the identity verification process, they’ll have a time stamp and a green shield icon.

identity-status.png

This means that this individual has provided a valid government ID document and a real-time selfie, which Nametag’s proprietary models have analyzed, compared, and validated. Nametag verifies both that the ID document and selfie are individually valid, and that they match.

Filter this table by Verified or not to see all of the accounts that fall under a certain identity status. This is useful for generating lists of people who still need to verify their identities with Nametag.

verified-filter.png

Reviewing directory membership

You will also see a directory in each row of this table. This represents the directory that is linked to a given account.

directory-bubble.png

This is particularly useful when looking for all of the members of a specific directory; simply filter the accounts table by one or more directories.

directory-filter.png

Get notifications via webhooks when a directory account is changed

Nametag can emit a webhook to a monitoring or alerting service you use when an account is recovered (that is, a password or MFA device is reset by Nametag). Please see the Nametag API documentation on this for more information.