We often hear about
high-level security breaches where hundreds of thousands of user and company
information has been hacked and stolen. Most of the time, this only leads to
finger-pointing and more paperwork than anyone has the time to chase down. We
know that Extranet Collaboration Manager (ExCM) is just one part of your
companies’ best practices for securing your external collaboration and
maintaining a secure company and employee environment. We also know that
sometimes the small things a company does can make the biggest difference when
it comes to security and manpower.
Case in point, many
businesses utilize the well-known question and answer method when a user
forgets their password. We have all seen and used this method. The normal
scenario is where you have set up two to three security questions when you sign
up for your account, and in the event that you forget your password, you have
to answer one of these questions to proceed with the password change or the
account recovery process.
But how secure are the
questions and answers? How easy is it for someone to use the internet and
social media to hunt down the answers to any one of the questions? Think about
it: would it be that hard to find out your mom’s maiden name, your high school
mascot or what city you were born in? While it is true that the questions that
are being asked could be much more difficult, remember these businesses are
dealing with users who on average have over 100 passwords when you add all
their work, financial and personal accounts together. The average company does
not have the resources to help customers who have forgotten their passwords much
less the security question answers that were initially set up to be easy.
*More information on
password and security statistics can be found here.
So, where does this
leave the businesses of today? What other alternatives or tools do they have at
their disposal to maintain security and make the retrieval of passwords or the
resetting of passwords seamless and still self-service?
What if, instead of the
question and answer retrieval process, your company utilized something simpler
that most of your customers already use, like their email address? How could
this make things easier for the user and your company? We know that most people
have at least one email account that is unique. We know that, in most cases, he
or she is the only user of that unique email address. Then it would make sense
that if we sent the user a link to their email address with options for
changing or recovering their password, it should help in that they would not
have to remember the questions and answers and the business would not have to
store and maintain this information. The user’s security and self-service rest
in their ability to remember their email information.
So, your next question
might be: “How do I make the password email recovery option possible in ExCM?”
When using ExCM you can
disable the extranet user password question and turn on the email option by
making the changes below to the web app web.config file:
1. In
the <membership /> section of the web.congif file, the <add /> tag
must have the requriesQuestionAndAnswer attribute set from ‘True’ to 'False'.
2. In
the <extranet /> section of the web.config file, the
<membershipSettings /> tag must have the passwordResetTemplate attribute
set from “SetNewPassword” to "EmailGeneratedPassword".
After making these
changes to the web.config file, this should remove the password security
question from the registration and add extranet users’ pages. This only needs
to be applied to the web.cofig file of your content site.
Below you will find the
expected changes that users will experience, once the password reset has been
changed from the question and answer to the email setting.
After the user clicks
the “Forgot your password?” link the “Reset My Password” page will ask for the
user’s email address, then they will need to click Next.
Once the system has confirmed the user’s “Username” they will
click Finish.
The next screen will
confirm that the “Password Changed Successfully”.
Next, the user will receive an automated email with a temporary password.
Next, the user can
return to the “Password Changed Successfully” page and then click “Continue to
login”.
At the Sign In page the
user will need to use the new temporary password from your email and click Sign
In.
NOTE: The temporary
password is case and character sensitive and can be copied and pasted.
Once the user is signed
in, they will need to select the drop-down button next to the username, and
then select “Change My Password”.
Within the “Change My
Password” page the user will need to use the temporary password, then create a
new password using the green strength bar as a gauge for a secure password.
Next, the user will need to confirm the new password, and then click Finish. At
this point the user will stay logged in and will use the newly created password
the next time they log in.
No comments:
Post a Comment