4.3 Configuring Forgotten Password

The Forgotten Password feature allows users to recover a forgotten password without contacting helpdesk. After enabling this feature, users get the Forgotten Password button on the login page.

You can also set up policies for Forgotten Password. This feature uses challenge-response authentication to let users recover their passwords. This feature enables prompting for challenge set and allowing a password change. Requiring a user to answer challenge questions before receiving forgotten password provides an additional level of security.

To make the Forgotten Password button work, ensure the following:

You can also set up actions that Forgotten Password performs during the password recovery process.

NOTE:(Only when the back-end directory is Active Directory) When users change their passwords, SSPR considers the password history only when the Minimum Password Age is set to 0 in Active Directory and proxy is disabled. If Minimum Password Age is non-zero, it is recommended that users change the password through the email token to the password history.

This section includes the following topics:

4.3.1 Enabling Forgotten Password Recovery

  1. In Configuration Editor, click Modules > Forgotten Password.

  2. Select the Enable Forgotten Password check box.

  3. Click Actions > Save.

4.3.2 Selecting a Forgotten Password Action

You can configure SSPR to select an action to take when the user completes the forgotten password process.

SSPR provides the following options:

  • Allow user to reset password: After answering challenge questions to prove their identity, users can change to a new password. Because the user has authenticated through answering the challenge questions, the user can change the password without being required to provide the current password. To use this option, you must require a challenge set and the user must have set up challenge-response by answering the challenge questions.

  • Email new password to user: After answering challenge questions, the user receives the new password in an email. To enable this option, configure SMTP email server.

    For more information about how to configure email settings, see Section 3.7, Configuring Email Notification Settings.

  • SMS new password to user: After answering challenge questions, the user receives the new password through an SMS.

    For more information about how to configure email settings, see Section 3.8, Configuring SMS Notification Settings.

  • Email and SMS new password to user: After answering challenge questions, the user receives both an email and an SMS containing the new password.

Perform the following steps:

  1. In Configuration Editor, click Modules > Forgotten Password.

  2. Select an action from the Forgotten Password Recovery Mode list.

  3. Click Actions > Save.

4.3.3 Configuring Other Settings

Apart from enabling the Forgotten Password feature, configuring token setting, and configuring actions, you can configure various other settings for this feature.

  1. In Configuration Editor, click Modules > Forgotten Password.

  2. Click View > Always Show Advanced Settings to see and configure the advanced settings.

  3. Configure the settings:

    Setting

    Description

    Forgotten Password User Search Form

    Specify form attributes that a user specifies to be authenticated such as name, email ID, and so forth. These details are confidential.

    System uses these values internally to search for the users who request for the forgotten password recovery action.

    Forgotten Password User Search Filter

    Specify a filter to find username. Each attribute configured in the Forgotten Password User Search Form should be included in the search filter. Strings encoded with a percent sign (%) is replaced with values supplied by the user.

    For example, if Forgotten Password User Search Form includes email and sn attributes, then the filter would be (&(objectClass=person)(email=%email%)(sn=%sn%)).

    Response Read Location

    Specify the location where challenge-responses are stored.

    If you select an option with multiple locations, the system reads each location until it finds a stored response.

    Response Write Location

    Specify the location to write the responses to.

    If you select an option with multiple locations, the system stores responses in each location when users configure their response answers.

    Response Storage Attribute

    Specify an attribute to use for storing responses when you want to store responses in the LDAP directory. The system stores responses in the LDAP directory in addition to any other configured storage repositories.

    Allow Unlock

    Select this check box if you want to allow user to unlock their account during forgotten password. Users can unlock their account instead of resetting passwords if the account is locked due to invalid login attempts, and the user's password is not expired.

    Required Attributes

    Specify required LDAP attributes for challenge-response.

    Users provide these attributes as part of the forgotten password recovery process. The LDAP proxy user requires compare LDAP rights to these attributes.

    Require Responses

    Select this check box if you want users to provide previously saved responses to proceed with the forgotten password recovery process.

    Token Send Method

    You can configure a method for sending token code or new password to the user. The available methods include:

    • None - SSPR does not perform token verification

    • Email Only - SSPR sends token to email address

    • SMS Only - SSPR sends token through SMS

    • Both - SSPR sends token to both email address and SMS

    • Email First - SSPR tries to send token through email; if no email address is available, sends through SMS

    • SMS First - SSPR tries to send token through SMS; if no SMS number is available, sends through email

    Forgotten Password Recovery Mode

    Select an option from the list.

    • Allow user to set new password - Select this option to allow the user to reset their password by using the Forgotten Password option.

    • Send new password - Select this option to send a random password to the user’s email or SMS. This setting depends on which method is specified for the New Password Send Method setting.

    • Send new password and mark as expired - Select this option to send a random password to the user for temporary login and user is prompted to change the random password during the login process.

    Responses Storage Hashing Method

    Select a hashing method used to store responses from the list.

    Storing the responses as plaintext facilitates synchronization or migration to other systems.

    New Password Send Method (Advanced)

    Select the appropriate option from the list to specify the method to send new password to the user after the user completes the forgotten password process.

    • Email Only: Select this option to send the password through email

    • SMS Only: Select this option to send the password through SMS

    • Both: Select this option to send the password through both email and SMS

    • Email First: Select this option if your first preference of sending the password is through email. Only if the email address is unavailable the password is sent through SMS.

    • SMS First: Select this option if your first preference is sending the password through SMS. Only if SMS number is unavailable the password is sent to the email address.

    Forgotten Password Post Actions (Advanced)

    Specify the name of the actions and define the following services to set the actions that must be executed after a user successfully completes the forgotten password process and the user's password gets modified. Macros can be used.

    • webservice

    • ldap

  4. Click Actions > Save.