Access Account

Please clarify which platforms are supported for OOTB MFA Reset skill. There is a CREST plugin guide for Azure MFA reset - so please clarify whether Azure MFA is supported OOTB or if it would be via CREST.

🚧

This covers Moveworks Copilot

Moveworks Copilot is the latest conversational experience

Overview

Moveworks Access Account provides users with a secure channel to self-service their login issues.

Access Account is composed of these key features:

  • Unlock Account — Alert users when they’re locked out of their accounts and help them regain access.
  • Password Reset — Help users with self-service password resets.
  • MFA Reset — Help users initiate MFA resets when a mobile device is lost or replaced.
  • Password Expiry — Notify users when their passwords are about to expire, and when their passwords have already expired.

Some of the above features can only be activated by a user messaging the Moveworks Copilot (MFA Reset) or by a system event occurring (Password Expiry), while others can be activated by both (Unlock Account).

Unlock Account

When a user is locked out of their account after multiple failed login attempts, they can reach out to the Moveworks Copilot to regain access. Once their account is unlocked, they can use their current password to get back in.

Lockout Notification

By polling your identity management system, the Moveworks Copilot can notify users about a lockout within seconds of it occurring. Here’s how it works: First, the user receives a notification from the Moveworks Copilot alerting them to the lockout, then the Moveworks Copilot offers assistance. From here, the user can then click on:

  • Yes: To have the Moveworks Copilot unlock their account.
  • No: To dismiss the Moveworks Copilot.

When they select Yes, the Moveworks Copilot will send another message to let them know that their account is unlocked. The user can also reply to the notification with an affirmation like “sure” or “okay” to get the Moveworks Copilot to unlock their account. From there, they can log in with their current password. The Moveworks Copilot will also create an IT help desk ticket to to track their request.

Initiating Unlock Account

In the event of a lockout, users can ask the Moveworks Copilot in-chat to unlock their account for them. The Moveworks Copilot will respond to the user’s request by providing 3 options:

  • Yes: To have the Moveworks Copilot unlock their account.
  • Edit Request: To select the user and account type they would like to unlock the account for.
  • Cancel: To end the conversation and start over again.

When a user clicks Yes the Moveworks Copilot will unlock the account, and notify the user. Then they will be able to access their account by logging in with their current password.

Adding Instructions to unlock employee's account

Moveworks does not yet integrate into every identity management system, but the Moveworks Copilot can still help users regain access to their accounts, even if their organization’s system is not enabled for automated account unlock.

When users ask the Moveworks Copilot to unlock their account, the Moveworks Copilot replies with detailed instructions on how to do so. This could come in the form of a link or a piece of information taken directly from their organization’s knowledge base, conveniently sent as a chat message to the user.

Notification + Instructions

There also may be scenarios where an organization would like to notify users that their account is locked (through an integration with the identity management system), but instead of allowing the user to automatically unlock their account through the Moveworks Copilot, the preference is to provide users instructions and/or a link to a portal instead. This is also supported; however, note that in this case, the user will only receive the instructions upon clicking "Yes" to the Moveworks Copilot's initial notification message. The instructions cannot be provided in the initial message.

Configuration options

Lockout notifications

Check for lock out

By default, the Moveworks Copilot checks for locked out users every 30 seconds. You can configure the amount of time the Moveworks Copilot checks for locked out users (i.e. every 60 seconds, every 90 seconds, etc.).

Rate limiting

By default users will be notified of an account lockout at four times a day at most, with a six hour gap between each notification message. Users can configure the amount of messages they receive over a period of time — this period of time is also configurable.

Unlock Account instructions

If your system does not support the automated Unlock Account feature, Moveworks can be configured to recognize when a user is asking for help unlocking their account, and send self-service instructions on how to do so (see "Instructions for unlocking your account" above) .

Password Reset

When users forget their password, the Moveworks Copilot can help them reset it so they can regain access to their systems or applications.

🚧

Important

Processes that involve sensitive actions, such as password resets, often require direct integration with an organization’s identity management systems and adherence to strict security protocols.

Therefore Moveworks does not handle nor ask for user's password directly in chat, and instead will link out to the relevant portal(s) and/or provide instructions.

Reset SSO password

If a user forgot their main password, they can reset it by sending the Moveworks Copilot a message indicating they need to make a new one. An example could be, “I forgot my password” or “need to reset password”. Because they do not specify the system the password belongs to, the Moveworks Copilot will initiate a reset of their SSO password by default.

Configuration options

Password Reset instructions

Moveworks can be configured so that when a user asks for help to reset the password for systems or applications not managed by their organization’s main authenticating system, the Moveworks Copilot will know to send self-service instructions on how the user can reset the password.

MFA Reset

Please clarify which platforms are supported for OOTB MFA Reset skill. There is a CREST plugin guide for Azure MFA reset - so please clarify whether Azure MFA is supported OOTB or if it would be via CREST.

When a user loses or replaces their device, the Moveworks Copilot can assist in resetting their multi-factor authentication (MFA) if they no longer have access to the old device.

Automated MFA Reset

When a user tells the Moveworks Copilot they need to reset MFA, then selects Yes, reset MFA, the Moveworks Copilot autonomously reset a user’s MFA by removing their factors from their organization’s system. Once it’s done, the Moveworks Copilot will send the user a message saying Reset complete! along with a link to a browser portal where they can set up MFA on their new device. If they choose not to click on the link, the next time the user logs into their organization’s MFA system they will be prompted to set it up.

MFA Instructions

For organizations that use more than one default MFA system or do not have automated MFA reset available, Moveworks can also link users to knowledge articles with self-service instructions on resetting MFA. And when users tell the Moveworks Copilot they need to reset MFA, or asks “How to reset MFA?”, the Moveworks Copilot will reply with a link to an article found within their organization’s knowledge base on the topic. Then, the user can select View answer and the Moveworks Copilot will send the instructions as a follow up message.

🚧

Important

The Moveworks copilot supports both single-factor MFA reset and all-factor MFA reset.

Password Expiry

As the expiration date for passwords approaches, the Moveworks Copilot can also proactively remind users to renew their passwords.

🚧

Important

If your system is not enabled for automated password resets, the Moveworks Copilot can still send self-service instructions on how the user can reset their password before it expires.

Configuration options

First notification day: The number of days before users are sent their first password renewal reminder can be configured. After the first reminder, the number of days between reminders decreases by half. For example, if the first reminder is set to start 14 days (the default) before expiration, subsequent reminders are sent out 7, 4, 2, and 1 days beforehand. If the first reminder is sent out 30 days before expiration, subsequent reminders will arrive 15, 8, 4, 2, and 1 days before.

Weekend reminders: Password expiry reminders can also be configured to be sent or not sent on weekends. In this case, weekends are considered to be Saturday and Sunday (this is a fixed setting, irrespective of country).

Change password instructions: If your system is not enabled for automated password resets, the Moveworks Copilot can serve the self-service instruction to the end user on how to reset their password before it expires. Please note that the self-service instruction is served after use clicks on the “Change password” button.

How is the Moveworks Copilot experience different from Moveworks Classic?

Buttons: Moveworks Copilot only supports 2 buttons: Change password and Ignore. Buttons are not configurable

Message Text: The content of the password expiry reminder is not configurable. However, if the customer has self-service instructions, they will be served after the user clicks on Change password button

Button behavior - Change password: Depending on configuration, the Change password button will either complete the change password workflow, or serve a self-service instruction to the user.

Button behavior - Ignore: We won't notify this user again during this password reset cycle, but we will reach out again on the next cycle. So for example, if passwords expire every 180 days in your organization, a user would receive a new notification in ~180 days when their passwords are about to expire again.

What are the potential variations in the experience?

  1. User clicks on the Change password button, but the self-service instruction is not served.
    1. Because the Moveworks Copilot is a flexible conversational reasoning engine, the way we designed the buttons are “utterance buttons”. The result of clicking on an utterance button is the same as passing the copilot a user utterance or query. The benefit of this design is to ensure the Moveworks Copilot’s conversational ability and context is maintained. The downside of this approach, however, is the Moveworks Copilot’s behavior might not be deterministic, just like how a user might get a slightly different answer even if they entered the exact same query.
    2. If you did not get the desired response in the first time, try asking the Moveworks Copilot "I want to change my password" again.

FAQs

Q: Does the Moveworks Copilot still support Contractor Expiry?

  • The Moveworks Copilot does not support Contractor Expiry out of the box; however, you can build this through Creator Studio.