Information Technology Reference
In-Depth Information
Self-service screens
:
Rather than provide these as part of the User Administration module,
provide links to “Forgotten ID”, “Forgotten Password” and “Reset Security
Questions” as part of the CAS login screen.
When clicked, the “Forgotten ID” button takes the user to a screen that
captures the user's email address. Check the email address against the IAM
database but provide no indication as to whether it was found or not,
because this could be an important clue to hackers. Respond with a standard
message that the user ID has been sent to the appropriate email address in
either case. If the email address is valid, retrieve the corresponding user ID
(the ID used to log into the SSO environment) and mail it to that address. Log
all these events.
When clicked, the “Forgotten Password” button takes the user to a screen
that captures their User ID. It then retrieves their security questions and
prompts the user for the answers. If the user answers correctly, a new
password is generated, stored in the directory as a pre-expired password,
then the password is mailed to the user's email address retrieved from the
database. The user will not only have to change their password on first login,
they could even be forced to set answers to new security questions. To
prevent hackers from distinguishing valid User IDs from invalid ones, prompt
the user for answers to two random security questions even when the User
ID entered is invalid. Provide a standard error message afterwards, so that
invalid User IDs and invalid answers to security questions are treated the
same way.
“Reset Security Questions” can only be clicked if the user has entered both
User ID and password. Authentication proceeds as before, but they are
taken to the Security Questions screen where they may select two or more
questions and enter their answers. The Security Questions screen can also
be set up to appear on a user's first login. The entry of this data can be made
mandatory or optional depending on your organisation's security policy.
Once they enter this data, they should be redirected back to the original
application they were trying to access.
All of these are important security events, so they must be logged as well.
Reset Password and Unlock Account
:
While self-service features exist to help users regain access to the system
when they forget their User ID or password, you will also need to provide
your administrators the ability to force-reset a user's password and mail
