Skip to main content

password reset requirements

Comments

3 comments

  • Charles Cresswell

    The OTP requirement during a password reset should ideally be available at the individual account level because some accounts should be blocked for reset without OTP because of the confidentiality of their access, whereas others such as our supply chain files which tend to be design creatives just need email verification for a password reset.

    0
  • Connor Woolfolk
    Community Manager

    Hello Charles,

    Unfortunately, the requirement to answer secret questions is a security feature that is controlled with the same functionality that allows users to reset their passwords themselves, and is a needed piece of making sure the user trying to reset their password is the actual owner of the account. I don't think that is something we would be looking to remove from the password reset process at current.

    But with the other pieces here, I'll go ahead and get your request over to our product team for their review. If we have any follow up questions, we'll be sure to reach out here, or through a ticket.

     

    0
  • Charles Cresswell

    ok thanks for the update.

    I am afraid I do disagee on your answer a little, as it is up to each organisation to decide if such a thing is needed in their security approach and how they declare the safety of their infrastructure to their own auditors, so I do not think it should be something dictated by your product but instead provided as an option in your product.

    I rely on you more for your security protocols compliance rather than decisions on how I should manage users. We will likely just get people continuing to contact us because they cannot remember their secret questions.

    But regardless, thank you for taking a look at it. It is a slight irritation in a product that has many features simply not available elsewhere.

    0

Please sign in to leave a comment.