1.3 Understanding Challenge-Response Storage Methods

Self Service Password Reset supports the following locations to store users’ challenge-responses:

You can configure Self Service Password Reset to use any of the locations mentioned earlier to save users’ challenge-responses. When a user attempts to recover a forgotten password, Self Service Password Reset reads the location that you have configured. Self Service Password Reset reads each configured location until it finds the relevant policy in the order that you specify during configuration.

A valid policy must meet the requirements of the user’s current challenge-response policy.Challenge-responses are stored in the locale that the user’s browser selects during configuring responses. During the forgotten password recovery process, Self Service Password Reset uses answers in the same locale regardless of browser locale settings. Self Service Password Reset uses a standardized XML format to store answers. Depending on the configuration that you set for the Responses Storage Hashing Method setting, Self Service Password Reset stores answers as plain text or one-way hashed (encrypted) by using PBKDF2WithHmacSHA512 by default and the following as configurable options:

Self Service Password Reset can read password and challenge policies from eDirectory. After saving a user’s challenge-response answers, Self Service Password Reset can optionally write the challenge-response answers to the NMAS challenge-response format in addition to the configured methods. This enables interoperability of Self Service Password Reset with other products such as Novell Client for Windows.