Come see how we used Password Management from Novell to make it easy for our client's customers to manage their own passwords online. With an array of Novell's password management software, we helped improve productivity and security in a B2C environment.
The standard User Application has four different possible configurations for password self service:
Send existing password
Send new random password
All of these, however, require users to pre-fill answers to challenge questions which are used to authenticate users. This is a fine approach in an enterprise with a help desk. However, the client I was dealing with felt that their 300,000 worldwide users would not all pre-fill these challenge questions. This model was deemed unacceptable for a Business to Consumer (B-to-C) use case.
With 300,000 customer users, all of these approaches were insufficient. What the client was expecting was a solution which would allow a user to request an eMail which would simply allow the user to click on a link and change their password. Furthermore, the link should take the user directly to the page where they can reset their password and not require manually entering a temporary password or the user’s name.
We considered a simple solution where we would reset the user’s password when requested, however that approach would allow any person to reset a user’s password, resulting in effectively a denial of access condition. What we needed was to set a temporary alternative password – essentially what the challenge response does, and then use that to allow the user to immediately reset their password.
The solution is to create a component which, when the user clicks the “Forgot password?” link, will modify an eDirectory with the current time. This component uses a special user ID with rights to modify only that attribute on any object. An IDM driver will generate a random password but places it in the user’s challenge response answers. It then sends the user an HTML eMail with a link which has a specially configured URL. The URL has the user’s name and the temporary random password built in via CGI parameters; i.e:
A special local authentication class uses the Challenge Response NMAS method to authenticate the user using their user name and challenge responses, and then if successful, form-fills the two pages for user name and challenge answers.
With all of these moving parts, the user experience is that they click on an eMail, their browser chugs for a few seconds, and they are presented with a web page which allows them to reset their password.
The solution depends on the following infrastructure:
Two schema extension attributes were added to eDirectory to support this function:
cisPwdResetReqTime – Single Valued, Syntax TIME
cisPwdResetToken – Single Valued, Case exact string
These were added to an aux class called cisAux, although it could be used in any aux class.
Forgotten Password JSP page
A simple JSP page was created which accepts a single parameter of an eMail address. This page looks up the user’s DN and will update the user’s cisPwdResetReqRime with the current time. It was proposed that this page be protected from automated attacks by using the Open Source jcatcha class to require a user to type in a text string based on an intentionally distorted graphic. However this was deemed unnecessary by the client.
The challenge response driver was installed and customized. A policy was added to the challenge response driver which generates the random password and sends the eMail to the user. The link in the eMail has the user’s name and the token response in CGI parameters; these are parameters in a URL after the ?. For example:
A simple java class, based on the code in the Challenge Response Servlet, was created which takes in a user name and returns the challenge response questions. This was used to format the login page which has the user name and challenge questions with input boxes for the answers. The page also looks to see if there are CGI parameters present and if so, will automatically fill them in and then submit the page.
Local Authentication Class
The Local Authentication Class is configured to operate on this URL and will accept the input from the JSP, and, if the user is authenticated, allows them to proceed to the user application.
Form Fill Policies
Two separate protected resources are defined for the two pages, the first where the user name is requested and the second where the challenge answer is accepted. Each has a corresponding form fill policy filling in the answers from the user’s ID in eDirectory. An extra public resource /IDMProv/resource/* is needed to allow styles to be included on the page.
Upon completion of this sequence, the user is left at the password change message.
The author can be contacted for additional info at CISIDM@ciscony.com