Steps for configuring Password & Profile management
Users can be delegated access to change existing passwords or update their account profiles immediately. However, before a user can use self-service to reset a forgotten password and unlock an account, the user must enroll by answering a series of questions. Later, when the user forgets a password, these answers are used in place of the forgotten password to authenticate the identity of the user and allow them to create a new password.
The general steps for configuring Password & Profile Management are as follows:
Configure the Password Self-Service Enrollment Details Web Action
Set data encryption password
Set answer length and quantity requirements
Define end-user questions
Delegate Self-Service Password & Profile Management
- Configure User Notifications
Active Directory Account Name History attribute
The enrollment details for each Active Directory user is stored on the user’s object in Active Directory in the AccountNameHistory attribute. An example of the data stored in the AccountNameHistory attribute is Encrypted Questions and Answers and the date and time of both Welcome and Reminder Notifications.
Configure the Password Self-Service Enrollment Details web action
The process that allows a user to both enroll and later use the forgotten password reset features is controlled by the Self-Service Password Self-Service Enrollment Details web action. This action can only be configured by a Cayosoft Administrator Global Administrators Role trustee.
Setting the data encryption password
Open the Cayosoft Configuration Console
Locate the Password to encrypt data in the AD setting in the action section of the rule
Click the selector button to the right side of the field
(The selector is a small square button to the right of the field […])
Enter a password that will be used to encrypt user answers
Click Save Changes
Setting Question & Answer details
Minimum answer length (Characters) – this setting enforces the minimum length of answers provided by the end-user during enrollment. By setting a higher number for answer length, the complexity of the answers will be increased.
Minimum number of questions per user – this setting selects the number of questions that a user must answer during both enrollment and later when using the forgotten password service
Questions 1 through 5 – each question field is presented to the user during enrollment as a drop-down list of questions from which they may choose.
Enable question shared with Help Desk – this option adds a question that must be answered by the user during enrollment. This question and the answer provided by the user are made available to anyone that is delegated the permissions to use the Validate User Identity option in the Cayosoft Web Portal.
What is your favorite movie? |
What was the make of your first car?
Password complexity description – use this setting to enter the password complexity requirements the user must follow when creating a password.
Enforce domain password policies – this setting allows you to specify whether to enforce the domain password policies like password history, password age, length, and domain complexity requirements for the Change my password action in Self Service and for I forgot my password link on the login page.
Brute force protection with account lockout
A brute force login attack is one of the most common attacks conducted against Web applications. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user.
The best way to prevent brute-force attacks is to limit invalid login attempts and lock out the user account for a period of time. This prevents automated tools from performing a brute force attack and effectively makes it impractical to perform such an attack.
Cayosoft Web Administrator has brute force attack protection. By default, after 5 unsuccessful attempts to reset the password or unlock the account using SelfService, a user gets the message: "You have made too many attempts. Please wait and try again later". After that, a user should wait for 10 minutes before trying to perform these operations again. Starting from the 8.3.1 version, a ccount lockout invalid attempts and account lockout period can be specified in Self-Service - Password Self-Service Enrollment Details web action – Cayosoft Help Center.