User Reset

User Reset has the following options:

  • Enable Authentication Questions — displays a Forgot Password link on the Login page and uses answers to pre-defined questions to authenticate a user’s identity

  • Enable SMS Reset — displays a Forgot Password link on the Login page and uses Short Message Service (SMS) to send the user a text message with a verification code

The Authentication questions and settings are associated with the password set on the password application. These are not associated with a direct logon to IdentityIQ.

Authentication questions confirm a user's identity if they have forgotten their IdentityIQ password and the environment is configured to enable the question authentication feature. Question authentication is enabled using Enable Forgot Password on the Login Settings tab.

These questions display when you click the Forgot Password link off of the Login page during the authentication process.

The Questions list can contain tags from the properties file configured when your IdentityIQ instance was deployed, text entered directly on this tab, or a combination of both. Mapping tags from a properties file is generally used for internationalization purposes.

Click the plus (+) icon to add a new question and the minus (-) icon to remove a question. You can enter as many questions as you deem necessary. A user who forgets their password must answer the designated number of the questions in the list. The number of questions a user must answer for authentication is defined in the Settings section below.

When a user clicks the Forgot Password link and then selects and answers the authentication questions, by default the user’s answers are shown in plain text as they are typed in the user interface. If you want to obscure the users answers with asterisks as they are typed, use the debug page to add this entry key to IdentityIQ’s SystemConfiguration object.

<entry key="obscureAuthAnswers" value="true"/>

Use the Settings section to configure behaviors for password attempts.

Before you set up SMS Reset, you need the following items from twilio.com:

  • an active Twilio account

  • Twilio ID

  • Twilio credentials (authentication token)

  • From phone number configured on account

Password reset settings.

Number of questions asked to authenticate an identity

Specify the number of questions that must be answered correctly in order to reset the password.

Number of authentication answers a user must have defined in IdentityIQ

Specify the number of authentications that must provide to set up password reset.

Prompt users for answers to unanswered authentication questions upon successful login

Adds an extra layer of security to logon screen. Select to have users prompted for answers until they define the required number, as defined in Edit Preferences page or if questions are added or changed.

When enabled, users are automatically redirected to the Answer Authentication Questions page upon successfully entering user name and password.

Maximum number of unsuccessful authentication attempts before IdentityIQ lockout

Specify the number of failed authentication answer attempts before the user is locked out of IdentityIQ.

After the maximum number of unsuccessful attempts, the SMS token is no longer accepted and the user must request a new code.

Number of minutes a user will remain locked out due to unsuccessful authentication

Specify how long a user is locked out after the specified number of failed authentication question answer attempts is exceeded.
A user with the proper capability can overwrite the lockout period.

Twilio Account ID

Enter the account ID you receive from Twilio when you set up your company Twilio account.

Twilio Authentication Token

Enter the authentication token you receive from Twilio when you set up your company Twilio account.

‘From’ Phone Number

Specify the phone number to use for sending the SMS message.

This phone number must be configured as the from number on your Twilio account.

Phone Number Attribute on Identity

Select the identity attribute that represents the mobile phone number. To define a new identity attribute, see Account Mappings.

For a user to reset their password using the SMS Reset feature, the field associated with their mobile phone number must contain a complete number including the area code. Using E.164 number formatting for all phone numbers in the “To” and “From” fields is strongly encouraged.

For more information, see SSO Configuration.

Verification Token Timeout (minutes)

Specify how long the user’s reset token is valid (in minutes).

Throttle requests at a rate of 1 per N minute(s)

Specify the limit of request that can be made in a certain amount of time. For example, limit the requests to 1 every N minutes.

Maximum Failed Attempts

After reaching the maximum failed attempts, a user cannot verify a reset token until that token expires and a new token is requested.