Skip to main content

Login Assistance Workflow

The Login Assistance Workflow in EmpowerID is designed to help users resolve login issues through a guided self-service process. It provides comprehensive support for password recovery, account lockouts, and Multi-Factor Authentication (MFA) difficulties across both EmpowerID and Microsoft Azure platforms.

This workflow reduces helpdesk burden while maintaining security through automated verification and manual approval processes when needed.

Workflow Capabilities

The Login Assistance Workflow enables users to:

  • Reset Passwords and Unlock Accounts — For both EmpowerID and Azure login credentials
  • Send Azure Temporary Access Pass (TAP) — Provides temporary login access to Azure accounts when standard recovery methods are unavailable
  • Reset Azure MFA — Unblocks or unenrolls users from Azure Multi-Factor Authentication
  • Reset EmpowerID MFA — Unblocks or unenrolls users from EmpowerID Multi-Factor Authentication and removes all associated MFA assets and preferences

Authentication Methods

The workflow employs a tiered approach to user authentication:

Automated Methods: For users enrolled in MFA, the system utilizes registered MFA methods to verify identity and assist in resolving login issues. If a user is not enrolled in MFA but can access a personal email or mobile phone, the system attempts to send a One-Time Password (OTP) for verification.

Manual Methods: If the OTP is not received or the user does not have a suitable contact method, a business request is initiated as a fallback option. This requires an approval process where a designated individual vouches for the user's identity to resolve the login issue.

Configuration

Workflow Parameters

The Login Assistance Self Service Wizard workflow provides extensive customization options, enabling administrators to modify the displayed fields for users utilizing the workflow. These customizable parameters allow you to adapt the workflow according to your organization's specific requirements and preferences.

Complete Parameter Reference

Workflow View One Page

Parameter NameDescriptionDefault / Example Value
AzureADSCIMConnectorAssemblySpecifies the assembly information for the Azure AD SCIM connectorSCIMAzureConnector,Version=4.0.180.1,Culture=neutral,PublicKeyToken=2d2253f74d4496ef
AzureADSCIMConnectorTypeDefines the type of Azure AD SCIM connectorPlatform-specific configuration
CallBackURLDomainSpecifies the domain for the callback URL used in authentication flowshttps://api.empoweriam.com
DateTimeFormatForEmailSpecifies the date and time format used for TAP expiration dates in email notificationsdddd, dd MMMM yyyy HH:mm:ss
DefaultAccountStoreFQNForPersonLookupSpecifies the default account store fully qualified name (FQN) used for person lookup operationshttps://linux-scim-aad.azurewebsites.net
EmailMessageNameForTAPSpecifies the email message template name used for Azure TAP delivery emailsLoginAssistanceAzureTAPEmail
IsAzureFirstTimeLoginIssueEnabledDetermines whether to show or hide Azure first-time login as a problem. If set to true, users will see the option "Need help logging into Azure for the first time (TAP)" to help them resolve issues logging in for the first time with an Azure accounttrue or false
IsCreateCollaborationTaskDetermines whether to generate an old-style workflow task instead of a business request for manual approval processestrue or false
IsMFAIssueEnabledDecides whether the MFA issue should be displayed. Enabling it will prompt the user to select the option "I recall my password, but I am unable to perform multi-factor authentication" in the wizardtrue or false
IsPasswordIssueEnabledDetermines whether to display the password issue option. If enabled, the user will be able to access the "I'm unable to remember my password or I've gotten locked out" option, which can assist them in resolving login issues caused by a forgotten passwordtrue or false
IsTestModeWhen enabled, the wizard relaxes certain restrictions, such as the "hasAccess" check, to facilitate testingtrue or false
IsUnknownIssueEnabledDetermines whether to show or hide the unknown issue problem option in the wizard. If enabled, the wizard will show "I'm not sure what the problem is but I can't log in" optiontrue or false
OAuthConsumerIDSpecifies the OAuth consumer ID used for integration with external services like Twilio and SendGridOrganization-specific identifier
OTPValidityDurationInMinutesSpecifies the validity duration of the One-Time Password in minutes from the time it is generatedConfigurable (typically 5-15 minutes)
SendPasswordToEmailDetermines whether the system will send the OTP to the email address linked to the user account when assisting with logging in through email and phone verificationtrue or false
SendPasswordToMobileDetermines whether the system will send the OTP to the mobile phone number linked to the user account when assisting with logging in through email and phone verificationtrue or false
SendPasswordToPersonalEmailDetermines whether the system will send the OTP to the personal email address provided by the user when assisting with logging in through email and phone verificationtrue or false
SendPasswordToTwilioSMSDetermines whether to send the OTP via Twilio SMS servicetrue or false
SendPasswordToTwilioVoiceCallDetermines whether to send the OTP via Twilio Voice Call servicetrue or false
SendTAPForAzureMFAIssueIf set to true, a Temporary Access Pass will be sent instead of performing an MFA reset for Azure MFA issuestrue or false
SkipEmpowerIDMFASpecifies whether to skip EmpowerID MFA verification during the workflowtrue or false
SMSOTPKeyEntryNameSpecifies the SMS message template name for OTP delivery via text messagePasswordResetCenterOTPSMSMessage
TwilioOTPVoiceMessageTemplateNameSpecifies the Twilio voice call template name for OTP delivery via phone callOrganization-specific template name
WhichLoginIdPAllows you to specify a specific Identity Provider (IdP) and hide the UI option to select. If the value is set to "all," the UI option to select an IdP is not hidden, and users can choose from all available IdPs during the assistance. To hide the UI option and enforce a specific IdP, replace the value "all" with the desired IdP identifier or name"all" or specific IdP identifier

Configuring Workflow Parameters

  1. On the navbar, expand Low Code/No Code Workflow and select Low Code Workflows.
  2. Select the Workflow tab and search for Login Assistance Self Service Wizard.
  3. Click the Display Name for the workflow to navigate to its View One page. Workflow View One Page
  4. Expand the Request Workflow Parameters accordion on the View One page for the workflow and search for the parameter you need to configure. In this example, we set the IsUnknownIssueEnabled parameter to false, which means the wizard will not show the "I'm not sure what the problem is, but I can't log in" option.
  5. Click the Edit button for the parameter, enter the new value (e.g., false) in the Value field for IsUnknownIssueEnabled, and click Save. Edit Parameter
  6. Repeat the above steps to adjust any additional parameter values as needed

Business Request Approval Policy

If the automated validation of a user's request is unsuccessful, the system proceeds with manual approval to establish a business request. This step involves human verification that can be customized to fulfill particular organizational needs. The following steps guide you through viewing and modifying the policies that regulate the manual identity verification process.

  1. On the navbar, expand Low Code/No Code Workflow and click No Code Flows.
  2. Click the Business Request Type tab and search for the Login Assistance Voucher. Click on the edit icon to activate the edit mode of the business request type. Edit Business Request Type
  3. While in the edit mode, you'll observe that the approval policy is configured to the Login Assistance Voucher Approval Policy. This is the standard policy used for handling business requests that require manual identity verification. Approval Policy Configuration
  4. Click on the Login Assistance Voucher Approval Policy link to navigate to the details page for the approval policy. Scroll to find the Approval Steps in Policy accordion to view the specific steps configured for the policy. Approval Steps

Using the Workflow

Accessing the Login Assistance Workflow

Users can access the Login Assistance Workflow when experiencing login difficulties:

  1. To receive help logging in to EmpowerID, click on the Login Assistance Workflow on the login screen. Login Screen
  2. Enter either your EmpowerID login name or the email associated with your account. Enter Login Details
  3. Select Your Identity Provider (IdP): Based on your authentication method, choose between Microsoft Azure or EmpowerID

EmpowerID Login Assistance Options

Option 1: I'm Unable to Remember My Password or I've Gotten Locked Out

This option allows users who cannot remember their password or have been locked out of their account to regain access.

  1. The system identifies all registered MFA methods and prompts you to select one
  2. The wizard guides you through the recovery process using the Login Assistance with MFA flow
  3. If the account does not have MFA registration:
    • The system locates the email and phone numbers registered for the user
    • Attempts to send a One-Time Password (OTP) to either of them
    • The wizard enters the Login Assistance with Email/Phone flow and guides you through recovery
  4. If you cannot receive an email or a voice call for the OTP:
    • You can create a manual request to have someone vouch for you
    • The wizard guides you through the recovery process using the Login Assistance by Requesting Identity Validation flow

Option 2: I Remember My Password, but I Can't Perform Multi-Factor Authentication

This option is useful for users who remember their password but face obstacles with MFA, such as losing their phone or acquiring a new one.

  1. The system locates the email and phone numbers registered for the user
  2. Attempts to send a One-Time Password (OTP) to either of them
  3. You can reset the multi-factor authentication registered for your account
  4. Follow the instructions in Login Assistance by Resetting MFA to troubleshoot your login issue

Option 3: I'm Not Sure What the Problem Is, but I Can't Log In

If you are facing login difficulties without a clear understanding of the underlying issue, selecting this option will provide helpful troubleshooting steps and guidance.

  • The wizard enters the Login Assistance by Requesting Identity Validation flow for login recovery

Microsoft Azure Login Assistance Options

Option 1: I'm Unable to Remember My Password or I've Gotten Locked Out

This option allows Azure users who cannot remember their password or have been locked out of their account to regain access.

  1. Like EmpowerID, the system identifies all registered MFA methods and prompts you to select one
  2. The wizard guides you through the recovery process using the Login Assistance with MFA flow
  3. If the account does not have MFA registration:
    • The system locates the email and phone numbers registered for the user
    • Attempts to send an OTP to either of them
    • The wizard enters the Login Assistance with Email/Phone flow
  4. If you cannot receive the OTP:
    • You can create a manual request for identity validation
    • The wizard guides you through the Login Assistance by Requesting Identity Validation flow

Option 2: I Remember My Password, but I Can't Perform Multi-Factor Authentication

This option assists Azure users who remember their password but cannot complete MFA.

  1. The system sends an OTP to your registered email or phone
  2. You can reset your MFA settings after verifying the OTP
  3. Follow the instructions in Login Assistance by Resetting MFA

Option 3: I'm Not Sure What the Problem Is, but I Can't Log In

Select this option if you're unsure about the login issue.

  • The wizard initiates the Login Assistance by Requesting Identity Validation flow

Login Assistance Flows

Login Assistance with MFA

If the administrator has established a password policy with more than 2 Level of Assurance (LOA) points, you might have to go through multiple rounds of MFA.

  1. The system identifies all registered MFA methods and prompts you to choose your preferred method.Note: Your available MFA options may vary, as the wizard will load the MFA methods configured for your account.
    MFA Options
  2. After choosing your preferred MFA method, the wizard walks you through the necessary steps.
  • For example, if you select the EmpowerID Mobile Authenticator, you will be prompted to approve a push notification or enter the authentication code.
    Mobile Authenticator
  1. Upon successful MFA, you are directed to the Change Password page to reset your password.
  2. After you reset your password, the wizard provides a list of all the accounts for which it has been changed.

Login Assistance with Email / Phone

To receive assistance via email or phone:

  1. The system locates your account's email and phone numbers and attempts to send a One-Time Password (OTP).
    OTP Options
  2. If you received the OTP, select Yes and enter the passcode.
    Enter OTP
  3. Upon successful OTP verification, you are directed to the Change Password page to reset your password.
  4. The wizard lists all the accounts for which the password has been changed.
  5. If you have not received the OTP:
  6. Select No.
  7. The system will retry sending the OTP.
  8. After several attempts, you will be prompted to create a manual request for identity validation.
  9. Follow the instructions in Login Assistance by Requesting Identity Validation.

Login Assistance by Requesting Identity Validation

If all other options fail, you can request assistance for manual identity verification.

  1. When prompted, select Yes to create a request for manual identity verification.
    Identity Validation
  2. Provide the following details:
  • Message: Write a compelling and detailed message to the person who will vouch for your identity.
  • Share Email and Phone: Provide an email or phone number that you currently have access to. This does not need to be the same as the one configured in your profile.
  • Select a Person to Vouch for You: Choose someone who can confirm your identity.
    Identity Details
  1. Once you have submitted the request:
  • The approver will receive the business request.
  • Upon approval, an OTP will be sent to the email or phone number you provided.
  • Follow the instructions to complete the login assistance process.

Login Assistance by Resetting MFA

If your MFA isn't functioning properly:

  1. The system locates the email and phone numbers registered for your account and sends a One-Time Password (OTP).
  2. If you have received the OTP, select Yes, as shown below, and then enter your passcode.
    OTP Verification Options
note

If you don't receive the OTP, click No to trigger the Login Assistance by Requesting Identity Validation flow to help you log in.

  1. After OTP verification, you will receive a warning indicating that your existing MFA registrations will be deleted. Click Yes to continue.
    MFA Reset Warning
  2. On the next screen, you will receive instructions to:
    • Open a browser in incognito mode.
    • Navigate to My Apps.
    • Register a new MFA for your account.
  3. Register your new MFA and attempt to log in again.

Workflow Details

Login Assistance with MFA

If the administrator has established a password policy with more than 2 Level of Assurance (LOA) points, you might have to go through multiple rounds of MFA.

  1. The system identifies all registered MFA methods and prompts you to choose your preferred method
note

Your available MFA options may vary, as the wizard will load the MFA methods configured for your account

Available MFA Methods

  1. After choosing your preferred MFA method, the wizard walks you through the necessary steps
    • For example, if you select the EmpowerID Mobile Authenticator, you will be prompted to approve a push notification or enter the authentication code. Mobile Authenticator Push Notification
  2. Upon successful MFA, you are directed to the Change Password page to reset your password.
  3. After you reset your password, the wizard provides a list of all the accounts for which it has been changed.

Login Assistance with Email/Phone

To receive assistance via email or phone:

  1. The system locates your account's email and phone numbers and attempts to send a One-Time Password (OTP). OTP Options

  2. If you received the OTP, select Yes and enter the passcode Enter OTP

  3. Upon successful OTP verification, you are directed to the Change Password page to reset your password

  4. The wizard lists all the accounts for which the password has been changed

  5. If you have not received the OTP:

    1. Select No
    2. The system will retry sending the OTP
    3. After several attempts, you will be prompted to create a manual request for identity validation
    4. Follow the instructions in Login Assistance by Requesting Identity Validation

Login Assistance by Requesting Identity Validation

If all other options fail, you can request assistance for manual identity verification.

  1. When prompted, select Yes to create a request for manual identity verification. Identity Validation

  2. Provide the following details:

    Message — Write a compelling and detailed message to the person who will vouch for your identity

    Share Email and Phone — Provide an email or phone number that you currently have access to. This does not need to be the same as the one configured in your profile

    Select a Person to Vouch for You — Choose someone who can confirm your identity

    Identity Details

  3. Once you have submitted the request:

    • The approver will receive the business request
    • Upon approval, an OTP will be sent to the email or phone number you provided
    • Follow the instructions to complete the login assistance process

Login Assistance by Resetting MFA

If your MFA isn't functioning properly:

  1. The system locates the email and phone numbers registered for your account and sends a One-Time Password (OTP)

  2. If you have received the OTP, select Yes, as shown below, and then enter your passcode. OTP Verification

    Note: If you don't receive the OTP, click No to trigger the Login Assistance by Requesting Identity Validation flow to help you log in

  3. After OTP verification, you will receive a warning indicating that your existing MFA registrations will be deleted. Click Yes to continue. MFA Warning

  4. On the next screen, you will receive instructions to:

    • Open a browser in incognito mode
    • Navigate to My Apps
    • Register a new MFA for your account

  5. Register your new MFA and attempt to log in again