User Reset
On the User Reset tab, configure your system to let users reset forgotten passwords or unlock accounts. Navigate to gear > Global Settings > Login Configuration and use the following options:
-
Enable Forgot Password – displays a Forgot Password link on the login page so users who have forgotten their password can reset it.
-
Enable Account Unlock – displays an Account Unlock link on the login page so users who have been locked out can unlock their account.
Selecting either or both of these options brings up two additional options:
-
Enable Security Questions – when enabled, security questions are used to confirm a user’s identity if they have forgotten their password or become locked out.
-
Enable SMS Verification – when enabled, a user is provided the option to have a reset code sent via SMS if they have forgotten their password or been locked out.
See
Note: Security questions and settings are associated with the password set on the pass through application. These are not associated with a direct logon to IdentityIQ.
Security questions display when you select the Forgot Password link on the login page during the authentication process. The questions list can contain tags from the properties file configured when your IdentityIQ instance was deployed, or when text is entered directly on this tab, or a combination of both. Mapping tags from a properties file is generally used for internationalization purposes.
Configure security questions as follows:
-
In the Questions section, select your desired questions using the + option to add new questions and the - option to remove options from the list.
-
In the Settings section, adjust the default parameters as needed.
-
Number of questions asked to authenticate an identity – specifies the number of questions that must be answered correctly in order to reset the password.
-
Number of questions a user must answer for authentication – specifies the number of questions for which the user must provide answers in advance so they can be authenticated using these questions. Questions without known answers cannot be used for authentication because there is no correct answer to be matched.
-
Prompt users for answers to unanswered security questions upon successful login – causes IdentityIQ to check during login whether the user has the required number of authentication answers provided already and, if not, prompt the user for those answers. The required number of questions is defined on the Edit Preferences page.
-
Maximum number of unsuccessful authentication attempts before IdentityIQ lockout – specifies the number of failed authentication attempts before the user is locked out of IdentityIQ.
-
Number of minutes a user will remain locked out due to unsuccessful authentication – set how long a user is locked out after the specified number of unsuccessful login attempts before they can try again to sign into IdentityIQ.
-
-
Select Save.
When a user clicks the Forgot Password link and then selects and answers the authentication questions, by default the user's answers are shown in plain text as they are typed in the user interface. If you want to obscure the user's answers with asterisks as they are typed, use the Debug page to add this entry key to IdentityIQ's SystemConfiguration object.
<entry key="obscureAuthAnswers" value="true"/>
Use the Settings section to configure behaviors for password attempts.
Be sure to select the Enable SMS Verification checkbox. Additionally, before you set up SMS Reset, you need the following items from twilio.com:
-
An active Twilio account
-
Twilio ID
-
Twilio credentials (authentication token)
-
"From" phone number configured on account
SMS Verification Configuration
Set up SMS verification for your system by completing the form as follows:
-
Twilio Account ID – enter the account ID you receive from Twilio when you set up your company Twilio account.
-
Twilio Authentication Token – enter the authentication token you receive from Twilio when you set up your company Twilio account.
-
From Phone Number – specify the phone number to be displayed in the From field on the SMS messages. This phone number must be configured as the From number on your Twilio account.
-
Phone Number Attribute on Identity – from a dropdown list, select the identity attribute that represents the mobile phone number. To define a new identity attribute, see Account Mappings.
For a user to reset their password using the SMS Reset feature, the field associated with their mobile phone number must contain a complete number including the area code. Using E.164 number formatting for all phone numbers in the To and From fields is strongly encouraged. For more information, see SSO Configuration.
-
Verification Token Timeout (minutes) – you may adjust the default as needed to specify how many minutes the user's password reset token is valid before it expires.
-
Throttle requests at a rate of 1 per N minute(s) – specify the rate at which SMS requests can be made in a certain amount of time. For example, if you enter the number 5, your limit is 1 request every 5 minutes.
-
Maximum Failed Attempts – after reaching the maximum failed attempts, a user cannot verify a reset token until that token expires and a new token is requested.