Friday, August 30, 2019

Changing the Forgot Password Option from a Question and Answer to an Email Option

We often hear about high-level security breaches where hundreds of thousands of user and company information has been hacked and stolen. Most of the time, this only leads to finger-pointing and more paperwork than anyone has the time to chase down. We know that Extranet Collaboration Manager (ExCM) is just one part of your companies’ best practices for securing your external collaboration and maintaining a secure company and employee environment. We also know that sometimes the small things a company does can make the biggest difference when it comes to security and manpower.
Case in point, many businesses utilize the well-known question and answer method when a user forgets their password. We have all seen and used this method. The normal scenario is where you have set up two to three security questions when you sign up for your account, and in the event that you forget your password, you have to answer one of these questions to proceed with the password change or the account recovery process.
But how secure are the questions and answers? How easy is it for someone to use the internet and social media to hunt down the answers to any one of the questions? Think about it: would it be that hard to find out your mom’s maiden name, your high school mascot or what city you were born in? While it is true that the questions that are being asked could be much more difficult, remember these businesses are dealing with users who on average have over 100 passwords when you add all their work, financial and personal accounts together. The average company does not have the resources to help customers who have forgotten their passwords much less the security question answers that were initially set up to be easy.
*More information on password and security statistics can be found here.

So, where does this leave the businesses of today? What other alternatives or tools do they have at their disposal to maintain security and make the retrieval of passwords or the resetting of passwords seamless and still self-service?
What if, instead of the question and answer retrieval process, your company utilized something simpler that most of your customers already use, like their email address? How could this make things easier for the user and your company? We know that most people have at least one email account that is unique. We know that, in most cases, he or she is the only user of that unique email address. Then it would make sense that if we sent the user a link to their email address with options for changing or recovering their password, it should help in that they would not have to remember the questions and answers and the business would not have to store and maintain this information. The user’s security and self-service rest in their ability to remember their email information.
So, your next question might be: “How do I make the password email recovery option possible in ExCM?”

When using ExCM you can disable the extranet user password question and turn on the email option by making the changes below to the web app web.config file:

1.   In the <membership /> section of the web.congif file, the <add /> tag must have the requriesQuestionAndAnswer attribute set from ‘True’ to 'False'.

2.   In the <extranet /> section of the web.config file, the <membershipSettings /> tag must have the passwordResetTemplate attribute set from “SetNewPassword” to "EmailGeneratedPassword".

After making these changes to the web.config file, this should remove the password security question from the registration and add extranet users’ pages. This only needs to be applied to the web.cofig file of your content site.
Below you will find the expected changes that users will experience, once the password reset has been changed from the question and answer to the email setting.

After the user clicks the “Forgot your password?” link the “Reset My Password” page will ask for the user’s email address, then they will need to click Next.

Once the system has confirmed the user’s “Username” they will click Finish.

The next screen will confirm that the “Password Changed Successfully”.

Next, the user will receive an automated email with a temporary password.

Next, the user can return to the “Password Changed Successfully” page and then click “Continue to login”.

At the Sign In page the user will need to use the new temporary password from your email and click Sign In.

NOTE: The temporary password is case and character sensitive and can be copied and pasted.

Once the user is signed in, they will need to select the drop-down button next to the username, and then select “Change My Password”.

Within the “Change My Password” page the user will need to use the temporary password, then create a new password using the green strength bar as a gauge for a secure password. Next, the user will need to confirm the new password, and then click Finish. At this point the user will stay logged in and will use the newly created password the next time they log in.

©2019 PremierPoint Solutions. All Rights Reserved. 

No comments: