User authentication and password management

Introduction

User management requires policies and techniques for new users and revised user credentials:

  • Knowledge Factor Token for User Authentication - Adds an additional security check for users.
  • User Initiated Password Reset - Sends a notification email after a user has updated their password.
  • Changing the Password Reset Link - Changes the password reset link, and does not send a temporary password.

Knowledge Factor Token for User Authentication

On the authentication page for passwords, an administrator can choose additional security for users. When the Use Knowledge Factor Token option is selected, a drop down list of fields are enabled. The admin can decide which field to use for user validation at first login and after password reset.

The knowledge factor token is an authentication credential consisting of information that a user possesses, such as a personal identification number (PIN), user name, password, or answer to a secret question. When the user accesses their login link, they have to provide that value. Once authenticated, the user can set their preferred password.

Moonlight Theme

User Initiated Password Reset

Typically, a user can change their password:

  • When logged in, by accessing the user profile, and then clicking Change my Password.
  • Before logging in, by clicking on the forgot password link. This link takes the user to a reset page where the user provides validation and then creates a new password.
In either case, an email is sent to the user to notify them that their password was successfully changed.

Platform generates a unique link everytime a new user account is activated or a user tries to reset the password.

The one-time activation link generated is user specific and if it is valid and in the time window, the user can enter their login name, and then click Submit.

When accepted, the user sees the Change Password page where the user enters a new password, and answers configured security questions. The user is then sent an email to inform that their password was changed.

The user can request for the password reset link multiple times. Once the password reset link expires, the user can perform the Forgot Password action again or request the administrator to reset their password. The default expiry time for the new user activation link or password reset link is 2 hours. This can be configured by modifying the shared property, NewUserPasswordActivationLinkExpiry (for new user activation) or PasswordActivationLinkExpiry (for password reset), at system level or authentication configuration at a tenant level by specifying the duration in the Password Activation Expiry Time field under Administration > Setup Home > Administration Setup > Authentication > Password .

Note:

Password reset link email expiration time and New user creation activation link expiration time are now separate operations and the links sent via email will persist across Platform restarts as well.

In case of Platform upgrade, the value configured for Password Reset Expiry Time is applicable only for Password reset Expiry Time field but not for the New User Activation Expiry Time.

The New User Activation Expiry Time field value needs to be explicitly changed after the upgrade.

The reset password link expires in the following cases:

  • If the activation link is not used within the specified time frame, the activation link expires
  • In case of multiple reset password requests, once a new password reset request is raised, the existing reset password link expires
  • Once the activation link is used within the time frame to reset the password, the link expires.

Note: The password reset link expiry time and the knowledge factor token can be retrieved and/or set using the getAuthentication and setAuthentication REST API methods . See getAuthentication and setAuthentication methods for more information.

Error logging

Platform provides error logs when an invalid user name is entered or the password link expires. The tenant administrator will be able to see these error logs in Setup Home>Monitoring>System Error Log. Below listed are reasons that can produce errors.

Error Message Reason
Invalid User Name or Password. Please try again. If you have forgotten your password, please use "Forgot password" link to reset it. A user enters a login name that is not present in the system.
Invalid User Name entered by the user for activation A user enters a login name present in the system but not associated with the given activation url.
Password activation link has expired for user The activation url has expired for a user. The activation url time is set using the PasswordActivationLinkExpiry shared property. See Shared Properties for more information.
Note: If you do not see the error message printed at Setup Home>Monitoring>System Error Log, check login.log.

Deprecated Tokens

The following tokens are deprecated when resetting the password and will not be shown in the Password Reset Notification Template. You can remove these tokens, otherwise, Platform will ignore these tokens.

{!#user_name_#} 
{!loginName}
{!#temporary_password_#} 
{!tempPassword}
{!#after_you_login_usin#}

We can use several parameters as part of the string such as user Id, client id, browser fingerprint, previous password, user info etc. But, we can keep this simple for now and extend it later if required.
(May be in user preferences or a preferable a separate table). I suggest that we store this only in memory so that its more secure. Only downside is a system restart will invalidate all issued links.) (suggested by Anoop)