Getting Started

• What is the Self Service Password Reset service?

  Self Service Password Reset is a self service password and authentication method management option that is available to all Lilly workers and contingent workers. The portal is externally facing and replaces the ability of the Service Desk to reset passwords.

• What is Multi-factor Authentication (MFA)?

  Multi-factor authentication (MFA), sometimes called two-factor authentication (2FA), is a security system that requires more than one method of authentication. MFA allows you to authenticate from various devices and/or methods.

• What languages does Self Service Password Reset support?

  Self Service Password Reset supports the following languages if you have the language selected in your browser or device:

  English, Spanish (Latin America), French, German, Italian, Portuguese (Brazil), Turkish, Simplified Chinese, Japanese, and Korean

  Additional languages may be supported by the underlying Azure AD service supporting authentication methods and password reset.

• Is MFA required to access Lilly applications?

  We don’t force authentication from a compliant device; however, a user will not be exempt from MFA based on device compliance in Q1 of 2024.

  For Personal Privilege Accounts Device Compliance + MFA will be mandatory in Q1 of 2024. We will also allow authentications via Privilege Session Manager and Citrix.

• What authentication methods are supported for MFA and Self Service Password Reset?

  Multi-factor authentication and Self Service Password Reset share many authentication methods. These include:

  Microsoft Authenticator App. The Microsoft Authenticator mobile app is supported on iOS, iPadOS, and Android mobile devices. The Microsoft Authenticator app is primarily used to approve authentication via a push notification. The app also provides a secondary option using a one-time password.

  Windows Hello for Business. Windows Hello for Business, using PIN or biometric gestures, can be used to meet the requirements for MFA and is the recommended sign on option for Lilly-provided personal Windows computers. This method is not supported for SSPR.

  FIDO2 security key. This is the easiest passwordless method. Lilly employees can order a YubiKey 5 FIPS series security key at this link. Once received, follow these instructions to set up your security key.

  Phone-based Passwordless. Phone-based passwordless authentication can be used to meet the requirements for MFA and is the recommended sign-in option for Lilly-provided macOS computers, iPhones, and iPads. Phone-based Passwordless is also recommended for use by contingent workers using their own company-provided business computers and Lilly employees using personal computers at home. This method is not supported for SSPR.

• Can I delete the PingID app from my device?

  Not all applications have migrated from the PingFederate platform to Azure AD for federation. The PingID app will still be required for these applications.

  All applications will be migrated off PingID by the end of calendar year 2024.

General

• What are the available URLs for password management at Lilly?

  Password management at Lilly is currently branded as Self Service Password Reset (SSPR). Therefore, the primary URL is https://sspr.lilly.com. However, we also established https://password.lilly.com as a vanity URL so either one will work.

• How do I obtain support if I am having an issue?

  Please review these Frequently Asked Questions and/or the available Job Aids for assistance.

  If you don't see your question addressed, we encourage you to post it to the Adopting Identity Services community on Viva Engage.

  For technical assistance not addressed in the FAQs or Job Aids, please contact the appropriate Lilly IT Service Desk for your region to open an incident and have it assigned to the MFA-SUPP-GLB queue for assistance.

• What should I do if I receive a Bitlocker Recovery screen while attempting to start my device?

  If you receive a Bitlocker Recovery screen while starting your device, you will need to request a recovery key by following the instructions in this Bitlocker Self-Recovery Article.

• How can I avoid a possible account lockout problem?

  We recommend monitoring your email for notifications that your Lilly account password is about to expire and complete the steps to reset your password.

  If you have a Lilly-provided computer, we recommend you change your password from your Lilly computer before it expires by following these steps:

  1. Press Ctrl+Alt+Delete.
  2. Select CHANGE PASSWORD.
  3. Enter Old password, Create new password, and Confirm new password.
  4. Select Submit.

• When trying to reset my password, I receive the message "Please enable cookies in your browser". How can I correct this issue?

  Please ensure the "Block third-party cookies" setting is disabled.

  On Microsoft Edge, this setting can be found in Settings under "Cookies and site permissions" and select "Manage and delete cookies and site data".

• I have my sign-in methods registered. Why was I just prompted with "Your organization needs more information" and routed to verify my authentication information?

  To ensure data accuracy, you will be asked to re-confirm your registered authentication methods every 180 days.

• What should I do if the organization I work for also uses Office 365?

  You will need to use a private browser session to prevent your company credentials from being used or create a separate profile so the browser can remember that you have logged on to Lilly.

  To open a private browser session, do the following:

  • On an Edge browser select the three dots in the upper right corner, then select New InPrivate window.
  • On a Chrome browser select the three dots in the upper right corner, then select New Incognito window.

  To create a separate profile, do the following:

  • On an Edge browser select the three dots in the upper right corner, then select Settings, then select + Add profile.
  • On a Chrome browser select the person icon in the upper right corner, then select + Add."

Passwords

• How do I change my password?

  Please follow the instructions in the How to Change your Password job aid.

• Can I still use Ctrl+Alt+Delete to change my password?

  Yes. This feature is available on Lilly-provided Windows computers. Once you enter Ctrl+Alt+Delete you will select Change a Password which will redirect you to change your account password directly from your Security info page. This is the preferred method for Windows 10.

• When I change or reset my password, which account is changed or reset?

  Self Service Password Reset will only change or reset the password for your standard user account associated with your Username/Email Address (Lilly System ID). If you access other applications that do not use the Lilly Single Sign-on Service, your account password cannot be changed via the SSPR site.

• How do I help my employee change their password?

  For step-by-step instructions on how to authenticate an employee or contingent worker, follow the instructions in this article.

Microsoft Authenticator

• What kinds of mobile devices are supported for Microsoft Authenticator?

  Microsoft Authenticator is supported on iPhones, iPads, and Android for MFA using push notifications or verification codes.

  Employees and Contingent Workers with iOS or Android mobile devices can configure Microsoft Authenticator for passwordless authentication. More information about this use case can be found on the Discovering IT portal.

• How many devices can be registered to use Microsoft Authenticator?

  Users can register up to five authenticator apps, including Microsoft Authenticator, at a time.

Security Keys

• Are security keys supported for MFA or SSPR?

  Security keys provided by Lilly after March 2023 (YubiKey 5 and YubiKey Bio devices) are supported in Entra ID (formerly Azure AD) as a FIDO2 passwordless sign-in method. They can be used to sign in to any application using Lilly Single Sign-on, including Microsoft Office 365. Follow this job aid to set up and begin using your FIDO2 Security Key.

  Security keys cannot be used directly for self-service password reset. A different sign-in method for this purpose, such as Microsoft Authenticator is required. But they can be used to change your password at My Sign-Ins (Microsoft.com).

Security Questions to be Retired by the end of 2024

• Who has access to my security questions and answers?

  Security questions and answers are stored privately and securely within the directory. Security questions and answers are not able to be read or modified by other users.

• Are security answers case sensitive? What are other requirements of security answers?

  Yes, answers to security questions are case sensitive.

  Answers to security questions must be at least three (3) and at most forty (40) characters in length. Any valid Unicode character may be used in an answer.

  The same answer cannot be provided to more than one security question.

• What is the acceptable date format for security answers?

  There is no mandatory format for dates in security answers. It is recommended to use a consistent format such as DD-MMM-YYYY (e.g., 01-JAN-2017) to ease answering the question during a password reset.

• How many security questions are required for registration? How many questions are required to be answered for a password reset?

  Security questions are an optional authentication method to use for Self Service Password Reset.

  If selected for registration, you will be required to register five (5) security questions and answers.

  When used for password reset, you will be required to successfully answer three (3) of your five (5) registered questions.

• What if I forgot the answers to my security questions and cannot reset my password?

  You will need to contact your Lilly manager or sponsor who will need to verify your identity using the instructions in the How to Authenticate a User process.

Personal Privileged Accounts (PPAs)

• What are the differences for MFA and SSPR between a standard account and a PPA?

  The user authentication experience will be largely the same when comparing standard user accounts and PPAs. Certain authentication methods may be restricted from PPAs. Current restricted methods include:

  Phone-based passwordless. Phone-based passwordless can be configured for multiple accounts on an iOS device. On an Android device, it is currently limited to a single account per device. Note, the Microsoft Authenticator app can still be used for MFA (via push notification or one-time passwords) for multiple accounts on the same device.

  PPAs will not be configured for SSPR, as PPA passwords should be managed in CyberArk.