Dave Kearns points to a product called Random Password Manager that can create random password for use for administrative accounts. It seems to be similar to the Secret Server product I blogged about here.
Dave talks about the use case of having the password management system give an IT administrator a clear text version of the password which the gets automatically reset to a new unknown value. This is a crude approximation of a OTP.
While this is a great idea, it is limited by the ability of the password management product’s ability to set the password directly on the specific system. For systems that use AD authentication (or other LDAP) this isn’t difficult. But for systems such as RACF, SAP, Siebel, etc, it’s very difficult for a vendor to maintain all the connectors.
If this kind of functionality gets popular, I would expect these companies to start to set up partnerships with the IdM companies that maintain connectors to all of these systems. Many of the IdM systems have SPML interfaces for invoking password changes on the managed systems.
Another aspect to this would be to integrate one of the Enterprise SSO products such as Passlogix vGo into the mix. The admin password could set in the ESS repository and replayed for the user without the user ever even seeing it.
Nishant Kaushik of Oracle has some thoughts about this here.
[Full Disclosure: I am a SW Architect for the BMC Identity Management suite which does password management, although it does not support the kinds of functionality in these products. BMC currently has no partnership with Lieberman Software or Thycotic Software. BMC does have a reselling agreement with Passlogix]