Сonfiguration of Self-Service password & profile management

Steps for configuring Password & Profile management

Users can be delegated access to change existing passwords or update their account profiles immediately. However, before a user can use self-service to reset a forgotten password and unlock an account, the user must enroll by answering a series of questions. Later, when the user forgets a password, these answers are used in place of the forgotten password to authenticate the identity of the user and allow them to create a new password.

The general steps for configuring Password & Profile Management are as follows:

1. Configure the Password Self-Service Enrollment Details Web Action.

   1. Set data encryption password

   2. Set answer length and quantity requirements

   3. Define end-user questions

2. Delegate Self-Service Password & Profile Management.

3. Configure User Notifications.

Active Directory Account Name History attribute

The enrollment details for each Active Directory user is stored on the user’s object in Active Directory in the AccountNameHistory attribute. An example of the data stored in the AccountNameHistory attribute is Encrypted Questions and Answers and the date and time of both Welcome and Reminder Notifications.

Configure the Password Self-Service Enrollment Details web action

The process that allows a user to both enroll and later use the forgotten password reset features is controlled by the Self-Service Password Self-Service Enrollment Details web action. This action can only be configured by aCayosoft AdministratorGlobal Administrators Role trustee.

Setting the data encryption password

1. Open the Cayosoft Administrator Console.

2. Navigate to .

3. Locate the Password to encrypt data in the AD setting in the action section of the rule.

4. Click the selector button to the right side of the field (The selector is a small square button to the right of the field […])

5. Enter a password that will be used to encrypt user answers.

6. Click OK.

7. Click Save Changes.

Setting Question & Answer details

• Minimum answer length (Characters) – this setting enforces the minimum length of answers provided by the end-user during enrollment. By setting a higher number for answer length, the complexity of the answers will be increased.

• Minimum number of questions per user – this setting selects the number of questions that a user must answer during both enrollment and later when using the forgotten password service

• Questions 1 through 5 – each question field is presented to the user during enrollment as a drop- down list of questions from which they may choose.

• Enable question shared with Help Desk – this option adds a question that must be answered by the user during enrollment. This question and the answer provided by the user are made available to anyone that is delegated the permissions to use the Validate User Identity option in the Web Portal.

TIP: To change the default questions, simply change an existing question or add additional questions separated by a | symbol. Each question should elicit an answer that is not easily guessed, or that may be easily found on the Internet or from other public sources.

Example:

What is your favorite movie? |

What was the make of your first car?

More Options

• Password complexity description – use this setting to enter the password complexity requirements the user must follow when creating a password.

• Enforce domain password policies – this setting allows you to specify whether to enforce the domain password policies like password history, password age, length, and domain complexity requirements for the Change my password action in Self Service and for I forgot my password link on the login page.

TIP: Password age determines the period of time (in days) that a password must be used before the user can change it. By default in the domain password policy the Password Age is set to one day. It means that a user can reset his password only a day after the password was set. If a user tries to reset it earlier he will get the general error: The password does not meet the length, complexity, or history requirement of the domain.

Brute force protection with account lockout

A brute force login attack is a common method used by attackers to gain unauthorized access to user accounts. This type of attack involves systematically guessing a user's password by repeatedly attempting different combinations, often using automated tools. To mitigate the risk of brute force attacks, a mechanism to limit invalid login attempts and temporarily locking the account is implemented. By introducing a lockout policy after several failed attempts, automated attacks are disrupted, making brute force attempts impractical.

Cayosoft Administrator includes built-in brute force attack protection to safeguard user accounts. By default, if a user exceeds 5 unsuccessful attempts to reset a password or unlock an account through the Self-Service portal, the system displays one of the following messages:

You have made too many attempts. Please wait and try again later.
You have made too many unsuccessful sign-on attempts. You have been temporarily locked out of the portal. Please wait then try again later.

After reaching the limit, the user account is temporarily locked; the user must wait for 10 minutes before attempting these actions again. This delay effectively thwarts automated tools and enhances the overall security of your environment. The account lockout invalid attempts and account lockout period can be specified in the More options section of the Password Self-Service Enrollment Details web action. Refer to the following article for additional information: Self-Service - Password Self-Service Enrollment Details web action.