Skip to main content

JIT computer accounts

Automatic password rotation

Idemeum will automatically rotate password for each JIT computer account

Overview

Technicians login to customer workstations with named or shared local admin accounts. When accessing the workstation, technicians are using idemeum Passwordless MFA to login or elevate with biometrics and certificates. What that means is that technicians are not exposed to local admin account passwords. However, idemeum still implements additional password measures to secure these accounts.

Strong account passwords

When technicians access the workstation for the first time or request Entra ID account, idemeum will create a named account or a shared account depending on what login mode is configured for a customer tenant. For this account idemeum will generate random 12-character password. For instance, this is the example of the password that idemeum will generate B1{9mv4o:?J9. This type of password is very secure, and impossible to crack today.

Automatic password rotation

What is more, idemeum will automatically rotate passwords for all named or shared accounts behind the scenes. Today we rotate the password at technician login. For instance, technician logs into the workstation with Passwordless MFA, once the user is verified, desktop client will automatically rotate the password to a new 12-digit password before login. This process will repeat technician logs into the workstation again.