Self-serve Password Reset (Details)
Users prefer Pleasant Password Server with a KeePass client!
Password reset functionality can now be configured by administrators via the Manage Reset Challenges screen under Users and Roles. On this screen system administrators can set up Challenge-Response configurations to determine security requirements of their users as well as to create Security Questions that users will have to answer in order to reset their passwords.
Note: In order to reset the password to an Active Directory account, the Directory configuration in
Password Server must allow for password changes.
See Advanced Settings in our Quick Active Directory and OpenLDAP User Guide (Version 7)
This is where challenge policies can be created, modified, and deleted. Challenge-Response policies are applied to user policies in order to allow the users in those user policies to access the Self-Serve Password Reset functionality. The information on the grid includes a quick breakdown of how many users have completed enrollment for their challenge policy, but a more detailed list is available in the Enrollment Report in the Reports menu.
The name of the Challenge configuration. This should be unique.
Leaving this enabled will allow users with this configuration to use the Self-Serve Reset system to reset their password.
Minimum questions to enroll
This is the number of questions that a user has to answer in order to set up their password reset functionality.
Minimum answers to reset
This is the number of questions a user has to answer correctly to reset their password. This should be less than or equal to the minimum questions to enroll.
Max attempts before lockout
After this many failed attempts at resetting their password, the user will be locked out of their account for the usual timeframe. If lockouts are disabled for a user policy, this does nothing.
Enabling this requires the user to configure an email for their account. When they attempt to reset their password, a message will be sent to their email with instructions on finishing their password reset.
Password Server supports additional two factor authentication methods such as YubiKey and Google Authenticator. If this setting is enabled, a user must configure one of these methods in order to register for the challenge policy, reset their password, even if it is not required by the policy attached to this challenge policy.
There are two fields here: the one on the left ("Selected") is the questions users in this challenge policy will be asked to answer. The one on the right ("Available") is a list of all questions that have been created. Questions can be dragged between the two areas to add or remove them from the policy.
This has a list of all user policies in the system. The challenge policy gets applied to each one that is checked off. If a user policy already has another challenge policy assigned to it, it will be replaced by the one you are configuring.
This is where questions for challenge policies are configured.
The name of the question. This should be meaningful and unique as it is how challenge policies identify available questions.
Text or image. A text question is a standard question that you can find in many password reset system. Setting a question as an image question causes a button to appear in order to upload images to the system. Users will be expected to pick one of the images based on the question.
Note: Challenge questions have changed as of version 7.10.18. in order to gain access to these new questions you will need to clear all previous challenge question data from the system and restart the server.
The question that a user is asked to answer. "What is your mother's maiden name?" or "What was the name of your first pet?" are common examples of questions to ask here.
There is a new link in the Manage Account screen called "Set Answers." This is where users are able to configure what they need to enroll for the self-serve password reset functionality.
If the user requires additional email or two-factor configuration, it is indicated here. Links are provided to the pages where these settings can be configured.
The list of all questions for the challenge policy are listed here. The user can answer as many as they want as long as it's more than the required number. Any questions left blank are simply ignored.
From the sign-in screen, there is a link for users who have forgotten their password. If they click it and put their username in on the next screen, they're able to go through the answers they configured, as well as taking steps to authenticate via two-factor providers or email if configured.
If a user is entered that doesn't exist, the questions for the default user policy are displayed. This helps to keep attackers from gaining information about users since all options appear to be valid.
Clearing Past Challenge Data
Navigate to Users and roles > Challenges. You will notice two tables: 1) Challenge Questions and 2) Available questions. We can take a look at the Available questions tables and see which Challenge questions have been attached to policies. If you receive a warning that your challenge questions cannot be removed because they are associated with a policy you will need to click into the challenge question record and uncheck all policies at the bottom.
Now you should be able to delete the Challenge questions. Next you can delete the available questions. After restarting the server you should see the new questions be populated in the database. There should be 19 in all but only 9 are set up by default as "available questions" .