5.5 Passphrase Security System Scenarios
The information provided in this section describes the user experience in environments where the passphrase security system has been enabled and disabled.
Scenario 1: The passphrase security system is disabled in a previously enabled environment
When the passphrase security system is disabled in an environment where it was previously enabled, the following message appears to users the next time they log in.
Figure 5-1 Passphrase Security Prompt
If the user clicks , the disabling of the passphrase security system is approved and the user is prompted for the current password. The approval is complete when the user provides the password.
If the user click , the passphrase security system disabling is delayed and the user is prompted with the message until he or she clicks to approve the change.
NOTE:Users must answer the passphrase answer to prevent the administrators to toggle this preference and allow an unauthorized user access Novell SecureLogin.
Scenario 2: The passphrase security system is re-enabled in a previously disabled environment
If the passphrase security system is re-enabled, the Passphrase Setup dialog box is displayed (similar to when a user logs in for the first time after installing Novell SecureLogin.)
If the user clicks , the user resets the passphrase question and answer.
If the user clicks , there is a delay in enabling the passphrases for the user’s workstation. The user is prompted at subsequent log ins until he or she specifies a passphrase question and answer.
Scenario 3: The passphrase security system is disabled and the user has changed his or her passwords (restrictions for moving user objects)
If you reset the user’s password when the passphrase security system is disabled:
-
In an LDAP-compatible and eDirectory (with SecretStore) modes, you cannot move the user object to another organizational unit until that user has logged in to Novell SecureLogin on his or her workstation. You must move the object back to its previous location to enable the user to run Novell SecureLogin.
-
In an Active Directory mode, you can move the user object within the directory. However, copying is limited. If the user object is moved, you must move the object back to its previous location to enable the user to run Novell SecureLogin.
Scenario 4: Forgotten Passphrase
If a user forgets SecureLogin data, including his or her passphrase or passphrase answer, you must delete the user’s existing SecureLogin datastore.
After the datastore is deleted, the user’s corporate applications, credentials, preferences, and user policies are permanently removed. You must then reset the user’s corporate password before he or she can log in and reconfigure the applications by using Novell SecureLogin.
The next time Novell SecureLogin starts, he or she must manually log in. Novell SecureLogin then detects that a passphrase is not set and prompts the user to set up the passphrase before continuing. You can create a list of predefined list of passphrases questions.
After the user has set a new passphrase, he or she must re-enter the application usernames and passwords. If it is not done, an unauthorized could breach security by clearing the passphrase, entering a new passphrase, and accessing the actual user’s credentials.
You might need to reset the user’s application passwords as they might have forgotten them.