User authentication and password management
Introduction
User management requires policies and techniques for new users and revised user credentials:
- Knowledge Factor Token for User Authentication - Adds an additional security check for users.
- User Initiated Password Reset - Sends a notification email after a user has updated their password.
- Changing the Password Reset Link - Changes the password reset link, and does not send a temporary password.
Knowledge Factor Token for User Authentication
On the authentication page for passwords, an administrator can choose additional security for users. When the Use Knowledge Factor Token option is selected, a drop down list of fields are enabled. The admin can decide which field to use for user validation at first login and after password reset.
The knowledge factor token is an authentication credential consisting of information that a user possesses, such as a personal identification number (PIN), user name, password, or answer to a secret question. When the user accesses their login link, they have to provide that value. Once authenticated, the user can set their preferred password.
                                                         
                                                    
User Initiated Password Reset
Typically, a user can change their password:
- When logged in, by accessing the user profile, and then clicking Change my Password.
- Before logging in, by clicking on the forgot password link. This link takes the user to a reset page where the user provides validation and then creates a new password.
Changing the Password Reset Link
Platform generates a unique link everytime a new user account is activated or a user tries to reset the password.
The one-time activation link generated is user specific and if it is valid and in the time window, the user can enter their login name, and then click Submit.
When accepted, the user sees the Change Password page where the user enters a new password, and answers configured security questions. The user is then sent an email to inform that their password was changed.
The user can request for the password reset link multiple times. Once the password reset link expires, the user can perform the Forgot Password action again or request the administrator to reset their password. The default expiry time for the new user activation link or password reset link is 2 hours. This can be configured by modifying the shared property, NewUserPasswordActivationLinkExpiry (for new user activation) or PasswordActivationLinkExpiry (for password reset), at system level or authentication configuration at a tenant level by specifying the duration in the Password Activation Expiry Time field under Administration > Setup Home > Administration Setup > Authentication > Password .
Password reset link email expiration time and New user creation activation link expiration time are now separate operations and the links sent via email will persist across Platform restarts as well.
In case of Platform upgrade, the value configured for Password Reset Expiry Time is applicable only for Password reset Expiry Time field but not for the New User Activation Expiry Time.
The New User Activation Expiry Time field value needs to be explicitly changed after the upgrade.
The reset password link expires in the following cases:
- If the activation link is not used within the specified time frame, the activation link expires
- In case of multiple reset password requests, once a new password reset request is raised, the existing reset password link expires
- Once the activation link is used within the time frame to reset the password, the link expires.
Error logging
Platform provides error logs when an invalid user name is entered or the password link expires. The tenant administrator will be able to see these error logs in . Below listed are reasons that can produce errors.
| Error Message | Reason | 
|---|---|
| Invalid User Name or Password. Please try again. If you have forgotten your password, please use "Forgot password" link to reset it. | A user enters a login name that is not present in the system. | 
| Invalid User Name entered by the user for activation | A user enters a login name present in the system but not associated with the given activation url. | 
| Password activation link has expired for user | The activation url has expired for a user. The activation url time is
								set using the PasswordActivationLinkExpiryshared
								property. See Shared Properties for more information.Note: If you do not see
									the error message printed at Setup
										Home>Monitoring>System Error Log, check
										 login.log. | 
Deprecated Tokens
The following tokens are deprecated when resetting the password and will not be shown in the Password Reset Notification Template. You can remove these tokens, otherwise, Platform will ignore these tokens.
{!#user_name_#} 
{!loginName}
{!#temporary_password_#} 
{!tempPassword}
{!#after_you_login_usin#}