Access Account
Overview
Moveworks Access Account provides users with a secure channel to self-service their login issues.
Access Account is composed of these key features:
- Unlock Account — Alert users when they’re locked out of their accounts and help them regain access.
- Password Reset — Help users with self-service password resets.
- MFA Reset — Help users initiate MFA resets when a mobile device is lost or replaced.
- Password Expiry — Notify users when their passwords are about to expire, and when their passwords have already expired.
Some of the above features can only be activated by a user messaging the Moveworks Assistant (MFA Reset) or by a system event occurring (Password Expiry), while others can be activated by both (Unlock Account).
Unlock Account
When a user is locked out of their account after multiple failed login attempts, they can reach out to the Moveworks Assistant to regain access. Once their account is unlocked, they can use their current password to get back in.
Lockout Notification
By polling your identity management system, the Moveworks Assistant can notify users about a lockout within seconds of it occurring. Here’s how it works: First, the user receives a notification from the Moveworks Assistant alerting them to the lockout, then the Moveworks Assistant offers assistance. From here, the user can then click on:
- Yes: To have the Moveworks Assistant unlock their account.
- No: To dismiss the Moveworks Assistant.
When they select Yes, the Moveworks Assistant will send another message to let them know that their account is unlocked. The user can also reply to the notification with an affirmation like “sure” or “okay” to get the Moveworks Assistant to unlock their account. From there, they can log in with their current password. The Moveworks Assistant will also create an IT help desk ticket to to track their request.
Initiating Unlock Account
In the event of a lockout, users can ask the Moveworks Assistant in-chat to unlock their account for them. The Moveworks Assistant will respond to the user’s request by providing 3 options:
- Yes: To have the Moveworks Assistant unlock their account.
- Edit Request: To select the user and account type they would like to unlock the account for.
- Cancel: To end the conversation and start over again.
When a user clicks Yes the Moveworks Assistant will unlock the account, and notify the user. Then they will be able to access their account by logging in with their current password.
Adding Instructions to unlock employee's account
Moveworks does not yet integrate into every identity management system, but the Moveworks Assistant can still help users regain access to their accounts, even if their organization’s system is not enabled for automated account unlock.
When users ask the Moveworks Assistant to unlock their account, the Moveworks Assistant replies with detailed instructions on how to do so. This could come in the form of a link or a piece of information taken directly from their organization’s knowledge base, conveniently sent as a chat message to the user.
Notification + Instructions
There also may be scenarios where an organization would like to notify users that their account is locked (through an integration with the identity management system), but instead of allowing the user to automatically unlock their account through the Moveworks Assistant, the preference is to provide users instructions and/or a link to a portal instead. This is also supported; however, note that in this case, the user will only receive the instructions upon clicking "Yes" to the Moveworks Assistant's initial notification message. The instructions cannot be provided in the initial message.
Configuration options
Lockout notifications
Check for lock out
By default, the Moveworks Assistant checks for locked out users every 30 seconds. You can configure the amount of time the Moveworks Assistant checks for locked out users (i.e. every 60 seconds, every 90 seconds, etc.).
Rate limiting
By default users will be notified of an account lockout at four times a day at most, with a six hour gap between each notification message. Users can configure the amount of messages they receive over a period of time — this period of time is also configurable.
Unlock Account instructions
If your system does not support the automated Unlock Account feature, Moveworks can be configured to recognize when a user is asking for help unlocking their account, and send self-service instructions on how to do so (see "Instructions for unlocking your account" above) .
Password Reset
When users forget their password, the Moveworks Assistant can help them reset it so they can regain access to their systems or applications.
Important
Processes that involve sensitive actions, such as password resets, often require direct integration with an organization’s identity management systems and adherence to strict security protocols.
Therefore Moveworks does not handle nor ask for user's password directly in chat, and instead will link out to the relevant portal(s) and/or provide instructions.
Reset SSO password
If a user forgot their main password, they can reset it by sending the Moveworks Assistant a message indicating they need to make a new one. An example could be, “I forgot my password” or “need to reset password”. Because they do not specify the system the password belongs to, the Moveworks Assistant will initiate a reset of their SSO password by default.
Configuration options
Password Reset instructions
Moveworks can be configured so that when a user asks for help to reset the password for systems or applications not managed by their organization’s main authenticating system, the Moveworks Assistant will know to send self-service instructions on how the user can reset the password.
MFA Reset
When a user loses or replaces their device, the Moveworks Assistant can assist in resetting their multi-factor authentication (MFA) if they no longer have access to the old device.
Automated MFA Reset
When a user tells the Moveworks Assistant they need to reset MFA, then selects Yes, reset MFA, the Moveworks Assistant autonomously reset a user’s MFA by removing their factors from their organization’s system. Once it’s done, the Moveworks Assistant will send the user a message saying Reset complete! along with a link to a browser portal where they can set up MFA on their new device. If they choose not to click on the link, the next time the user logs into their organization’s MFA system they will be prompted to set it up.
MFA Instructions
For organizations that use more than one default MFA system or do not have automated MFA reset available, Moveworks can also link users to knowledge articles with self-service instructions on resetting MFA. And when users tell the Moveworks Assistant they need to reset MFA, or asks “How to reset MFA?”, the Moveworks Assistant will reply with a link to an article found within their organization’s knowledge base on the topic. Then, the user can select View answer and the Moveworks Assistant will send the instructions as a follow up message.
Important
The Moveworks Assistant supports both single-factor MFA reset and all-factor MFA reset.
Password Expiry
As the expiration date for passwords approaches, the Moveworks Assistant can also proactively remind users to renew their passwords.
Important
If your system is not enabled for automated password resets, the Moveworks Assistant can still send self-service instructions on how the user can reset their password before it expires.
Configuration options
First notification day: The number of days before users are sent their first password renewal reminder can be configured. After the first reminder, the number of days between reminders decreases by half. For example, if the first reminder is set to start 14 days (the default) before expiration, subsequent reminders are sent out 7, 4, 2, and 1 days beforehand. If the first reminder is sent out 30 days before expiration, subsequent reminders will arrive 15, 8, 4, 2, and 1 days before. The reminder is sent out at 10:00AM PT.
Weekend reminders: Password expiry reminders can also be configured to be sent or not sent on weekends. In this case, weekends are considered to be Saturday and Sunday (this is a fixed setting, irrespective of country).
Change password instructions: If your system is not enabled for automated password resets, the Moveworks Assistant can serve the self-service instruction to the end user on how to reset their password before it expires. Please note that the self-service instruction is served after use clicks on the “Change password” button.
How is the Moveworks Assistant experience different from Moveworks Classic?
Buttons: Moveworks Assistant only supports 2 buttons: Change password and Ignore. Buttons are not configurable
Message Text: The content of the password expiry reminder is not configurable. However, if the customer has self-service instructions, they will be served after the user clicks on Change password button
Button behavior - Change password: Depending on configuration, the Change password button will either complete the change password workflow, or serve a self-service instruction to the user.
Button behavior - Ignore: We won't notify this user again during this password reset cycle, but we will reach out again on the next cycle. So for example, if passwords expire every 180 days in your organization, a user would receive a new notification in ~180 days when their passwords are about to expire again.
What are the potential variations in the experience?
- Sometimes, when user clicks on the
Change passwordbutton from the password expiry notification, the self-service instruction is not served.- Because the Moveworks Assistant is a flexible conversational reasoning engine, the way we designed the buttons are “utterance buttons”. The result of clicking on an utterance button is the same as passing the Assistant a user utterance or query. The benefit of this design is to ensure the Moveworks Assistant’s conversational ability and context is maintained. The downside of this approach, however, is the Moveworks Assistant’s behavior might not be deterministic, just like how a user might get a slightly different answer even if they entered the exact same query.
- If you did not get the desired response in the first time, try asking the Moveworks Assistant "I want to change my password" again.
- Sometimes, the Assistant might claim to unlock an account that it is not integrated with.
- For unlock account, password reset, and reset MFA requests, the Assistant is designed to only unlock/reset accounts the assistant is connected with, such as Okta, Azure AD, etc.
- If you try to unlock or reset a password or MFA with a system your bot is not connected with you may experience an error. To provide an example of when this can occur, sometimes users might ask the Assistant to help with an account that the Assistant does not have access to, such as Apple account, Fidelity account, etc. When this happens, the Assistant try to pick the plugin that can best solve the user's issue, without knowing whether the plugin is connected with those systems. Once the plugin (in this case, unlock account plugin) is selected, Assistant is designed to proceed with unlock the identity account it integrated with (like Okta). However, the LLM remembers the user's query and will try to cater its response that best addresses the user's request. So while the Assistant unlocks the Okta account in the back end, the LLM might respond to the user and say "I'm about to unlock your Fidelity account for you.." This is not ideal to the end users as the Assistant is claiming something it is not able to do.
- This is an known limitation and our team is working on abiding the Assistant's claim to its actions.
FAQs
Q: Does the Moveworks Assistant still support Contractor Expiry?
- The Moveworks Assistant does not support Contractor Expiry out of the box; however, you can build this through Creator Studio.
Updated 5 days ago