Account Access

🚧

This covers only Moveworks Classic

For Moveworks Copilot experiences, refer to "Moveworks Copilot - Feature Overview" page.

Overview

Moveworks Account Access provides users with a secure channel to self-service their login issues.

Account Access is composed of these key features:

  • Unlock Account — Alert users when they’re locked out of their accounts and help them regain access.
  • Reset Password — Help users with self-service password resets.
  • Reset MFA — Help users initiate MFA resets when a mobile device is lost or replaced.
  • Password Expiry Notifications — Notify users when their passwords are about to expire, and when their passwords have already expired.
  • Contractor Expiry Notifications — Notify managers when contingent workers need to renew or extend their contracts.

Some of the above features can only be activated by a user messaging the bot (Reset MFA) or by a system event occurring (Contractor Expiry Notifications), while others can be activated by both (Unlock Account).

General Access Issue

Employee language is heavily symptomatic — employees talk about the issue they're experiencing, not the solution they need. Over the years, we’ve seen thousands of utterances like “I can’t get into my Okta” — presenting multiple options allows users to refine their needs and identify the right solution. As shown above, occasionally a user tells the bot they are having an issue with their Identity and Access Management (IDAM), but do not specify the exact issue. In this case, the bot can recognize that the user is experiencing access issues based on their message. Then, the bot can present them with multiple solutions for their issues:

  • Unlock Account: The Moveworks bot can unlock the user’s account for them.
  • Reset Password: The Moveworks bot can help the user reset their current password for their SSO system.
  • Reset MFA: The Moveworks bot can help the user reset their multi-factor authentication.

Unlock Account

When a user is locked out of their account after multiple failed login attempts, they can reach out to the Moveworks bot to regain access. Once their account is unlocked, they can use their current password to get back in.

Sometimes, however, a user may not even know when they are locked out of their own account. In this case, the bot will reach out automatically to let them know they are locked out. Then, it will ask them if they would like it to unlock their account on their behalf.

Lockout Notification

By polling your identity management system, the Moveworks bot can notify users about a lockout within seconds of it occurring. Here’s how it works: First, the user receives a notification from the bot alerting them to the lockout, then the bot offers assistance. From here, the user can then click on:

  • Yes: To have the bot unlock their account.
  • No: To dismiss the bot.

When they select Yes, the bot will send another message to let them know that their account is unlocked. The user can also reply to the notification with an affirmation like “sure” or “okay” to get the bot to unlock their account. From there, they can log in with their current password. The bot will also create an IT help desk ticket to to track their request.

If the user is still unable to log in, they can click on Forgot Password to reset their current password, Reset MFA to reset their multi-factor authentication, or Re-open issue if their login issue persists for any other reason.

Initiating Unlock Account

In the event of a lockout, users can ask the bot in-chat to unlock their account for them. If the account is unlocked the bot will let them know. If the user is locked out, the bot will ask them if they want the account unlocked. The user can then select:

  • Yes: To have the bot unlock their account.
  • Get help: To request assistance from IT.
  • Cancel: To end the conversation and start over again.

When a user clicks Yes the bot will unlock the account, and notify the user. Then they will be able to access their account by logging in with their current password. Afterwards, users can select Great, it worked! To let the bot know that the access issue has been resolved. If the user is still unable to log in, they can click on Forgot Password to reset their current password, Reset MFA to reset their multi-factor authentication, or Re-open issue if their login issue persists for any other reason.

Instructions for unlocking your account

Moveworks does not yet integrate into every identity management system, but the bot can still help users regain access to their accounts, even if their organization’s system is not enabled for automated account unlock.

When users ask the bot to unlock their account, the bot replies with detailed instructions on how to do so. This could come in the form of a link or a piece of information taken directly from their organization’s knowledge base, conveniently sent as a chat message to the user.

Notification + Instructions

There also may be scenarios where an organization would like to notify users that their account is locked (through an integration with the identity management system), but instead of allowing the user to automatically unlock their account through the bot, the preference is to provide users instructions and/or a link to a portal instead. This is also supported; however, note that in this case, the user will only receive the instructions upon clicking "Yes" to the bot's initial notification message. The instructions cannot be provided in the initial message.

Reach out to your Customer Success team to learn more about configuring your Moveworks bot to provide unlock account instructions.

Configuration options

Lockout notifications

Check for lock out

By default, the Moveworks bot checks for locked out users every 30 seconds. You can configure the amount of time the bot checks for locked out users (i.e. every 60 seconds, every 90 seconds, etc.).

Rate limiting

By default users will be notified of an account lockout at four times a day at most, with a six hour gap between each notification message. Users can configure the amount of messages they receive over a period of time — this period of time is also configurable.

Unlock Account instructions

If your system does not support the automated Unlock Account feature, Moveworks can be configured to recognize when a user is asking for help unlocking their account, and send self-service instructions on how to do so (see "Instructions for unlocking your account" above) .

FAQ

Q: I’m worried the Unlock Account feature is not secure. How does it work?

A: Only employees who are logged into their chat accounts will receive proactive notifications to unlock their account. Access to chat requires users to log in to chat with their SSO Credentials, following all security policies that your organization has in place, including but not limited to MFA, session-based lifetime policies, etc.

Reset Password

When users cannot recall their current password, the Moveworks bot can help them reset it so they can regain access to their systems or applications.

📘

Moveworks does not ask for or handle users’ passwords.

Reset SSO password

If a user forgot their main password, they can reset it by sending the bot a message indicating they need to make a new one. An example could be, “I forgot my password” or “need to reset password”. Because they do not specify the system the password belongs to, the bot will initiate a reset of their SSO password by default. Then, the user can click on Recover access in the bot’s response to confirm. Then, the user can click on Click here to reset your password in the bot’s reply to visit a browser portal to create a new SSO password.

Configuration options

Password Reset self-service instructions

Moveworks can be configured so that when a user asks for help to reset the password for systems or applications not managed by their organization’s main authenticating system, the bot will know to send self-service instructions on how the user can reset the password.

Reset MFA

When a user loses or replaces their device, the Moveworks bot can assist in resetting their multi-factor authentication (MFA) if they no longer have access to the old device.

Automated MFA Reset

When a user tells the bot they need to reset MFA, then selects Yes, reset MFA, the bot autonomously reset a user’s MFA by removing their factors from their organization’s system. Once it’s done, the bot will send the user a message saying Reset complete! along with a link to a browser portal where they can set up MFA on their new device. If they choose not to click on the link, the next time the user logs into their organization’s MFA system they will be prompted to set it up.

MFA Instructions

For organizations that use more than one default MFA system or do not have automated MFA reset available, Moveworks can also link users to knowledge articles with self-service instructions on resetting MFA. And when users tell the bot they need to reset MFA, or asks “How to reset MFA?”, the bot will reply with a link to an article found within their organization’s knowledge base on the topic. Then, the user can select View answer and the bot will send the instructions as a follow up message.

FAQ

Q: Does MFA Reset support single and all factor reset?

A: Yes, single-factor MFA reset and all-factor MFA reset are supported in the Moveworks bot.

Password Expiry Notifications

As the expiration date for passwords approaches, the Moveworks bot can also proactively notify users to renew their passwords.

Password Expiry notifications

The Moveworks bot can send users a gentle reminder to renew their passwords before they expire. The reminder is sent out at 10:00AM PT, and contains the exact date and time the password will expire. It also gives the user the following options:

  • Already updated: Tells the bot to stop sending reminders, whether they have changed their password already or not.
  • Remind me later: Tells the bot to not remind the user again until the day before their password is set to expire.
  • Do not remind me again: Tells the bot to stop sending reminders to renew their password.
  • Open a ticket: Tells the bot to open a support ticket for the user.

📘

If your system is not enabled for automated password resets, the bot can still send self-service instructions on how the user can reset their password before it expires.

Password Expired notification

When a user’s password has expired, Moveworks sends a notification to let them know that their password is no longer valid, along with instructions to update it and a link to a browser portal where they can do so.

📘

Note that Password Expired notifications are only available for Active Directory.

Configuration options

First notification day: The number of days before users are sent their first password renewal reminder can be configured. After the first reminder, the number of days between reminders decreases by half. For example, if the first reminder is set to start 14 days (the default) before expiration, subsequent reminders are sent out 7, 4, 2, and 1 days beforehand. If the first reminder is sent out 30 days before expiration, subsequent reminders will arrive 15, 8, 4, 2, and 1 days before.

Weekend Reminders: Password expiry reminders can also be configured to be sent or not sent on weekends. In this case, weekends are considered to be Saturday and Sunday (other regional weekend definitions are not taken into account).

Message text: The content of the password expiry reminder is configurable to fit the user’s organization’s needs. If the user’s system is not enabled for automated password resets, the reminder can be configured to contain self-service instructions to the user on how to reset their password before the expiration date.

FAQ

Q. What is considered a resolution?

A: As soon as the user clicks on the link in the password expiry reminder, Moveworks considers this issue resolved and will cease to remind the user to change their password.

However, if only instructions on how to reset the user’s password are sent out, the bot will wait 24 hours before reminding the user again. If the user updates their password within 24 hours of receiving a reminder the bot also considers the issue resolved, and ceases to remind the user to change their password.

Contractor Expiry Notifications

As a contingent worker’s contracted period comes to a close, Moveworks can remind managers to either renew or extend contracts via chat. This gives them more time to take action before their employee’s contract expires. Managers are reminded on a 14, 7, 4, 2, and 1 day schedule, this schedule cannot be configured. Notifications are sent at approximately 11:00 AM PT.

When managers receive the notification via chat, they have a few options on what to do next. They can select:

  • How to Extend: The bot will send detailed instructions on how to renew or extend the contingent worker’s contract.
  • How to Terminate: The bot will send detailed instructions on how to end a contingent worker’s contract.
  • ️️Understood, thanks: The user can acknowledge the reminder and dismiss the bot.

📘

Moveworks only sends a single type of notification for this skill. Temporary roles within your organization that you want to exclude from the reminder, such as interns, need to be identified beforehand.

Configuration Options

The content of the contractor expiry message can be configured to meet your organization’s needs. The amount of information shown be can also be configured. Administrators can configure how many contingent workers to show in the reminder message. By default the maximum number of workers shown when managers select Show more is four. But Moveworks can be configured to show the full list of employee contracts expiring soon.

FAQ

Q: How does Moveworks identify expiring contractors?

A: Moveworks reads contingent worker expiry data stored within your Identity Management System.

Q: How often does Moveworks poll for expiring contractors?

A: The query will run once daily, before 11:00 AM PT. Moveworks will then group contractors who are expiring and send the notification to their respective manager.

Q: What is considered a resolution for this skill?

A: If the manager selects any one of the buttons, e.g. “How to Extend,” “How to Terminate,” or “Understood, Thanks”, then Moveworks counts this as resolved for the day, regardless of the number of contractors in the message.