Let’s walk through the complete password reset workflow for a user with 2FA enabled. It may also be helpful to review our support documents detailing how to set up 2FA in Cerberus FTP Server. Please note that the resetting password feature is for Native Cerberus Accounts Only
The “Forgot your password?” link appears on the login page when the HTTP/S listener has Allow Password Reset Requests enabled:
This link allows users who’ve forgotten their password to reset it, as long as they can prove their identity by other means. When the user clicks this link, Cerberus FTP Server takes the user through a multi-step workflow giving them an opportunity to prove that they should have access to the account.
Cerberus FTP Server considers the user’s identity proven when they…
- 1. Provide the account’s username, first name, and last name
Note the user's first name, last name and email address will need to have been filled in on their 'Profile' settings on the user account. Otherwise an error will display that Cerberus cannot find the user.
- 2. Prove they have access to the account’s email address
Once the user's username, first name and last name has been validated, Cerberus generates a cryptographically secure random link and sends it to the email address associated with the given account. The user must receive this email and click the contained link.
- 3. Provide correct answers to the account’s “Security Questions”
The user must have previously set two Security Questions and Answers in their Web Client account. Correct answers must be provided.
Because the account is 2FA-enabled, the user will also…
Once all of this is completed, the user is allowed to reset the account password and may then login with their new credentials.
After providing their username and new password, 2FA-enabled users must again provide a valid second factor response.
Requirements and Limitations
HTTP/S Listener Must Allow Reset Requests
If the Allow Password Reset Requests option is disabled, the “Forgot your password?” link will not appear on the login page.
Native Cerberus Accounts Only
AD and LDAP accounts are not allowed to use forgotten password reset. Users who have forgotten their AD passwords must follow procedures set by their Windows Domain administrators to reset it. For security reasons, this is considered out of Cerberus FTP Server’s scope of operation.
Required Account Properties
An account must have these properties set to use forgotten password reset:
- First Name
- Last Name
- Valid email address
- Security Questions and Answers set by the end-user
2FA either Disabled or Enabled
(access is denied if 2FA is Locked-out or Pending Activation)
Comments
0 comments
Please sign in to leave a comment.