password reset requirements
We use the FTP server for our supply chain uploads as well as our governing Council. This means that not only are accounts not personal in some cases, as an organisation with international members, their real first name is sometimes Anglicised to resolve pronunciation issues.
As a result it would be helpful if we could turn off and on three features in the password reset process:
1. requirement to enter real name
2. requirement to answer secret questions (and to include the need to set them up in the first place)
3. require OTP during a password reset
In our use case we would want (1) and (2) off and (3) on to mitigate security risk. As it is now we are getting direct emails because our users often do not get (1) and (2) correct as it is not a personal account.
-
The OTP requirement during a password reset should ideally be available at the individual account level because some accounts should be blocked for reset without OTP because of the confidentiality of their access, whereas others such as our supply chain files which tend to be design creatives just need email verification for a password reset.
0 -
Hello Charles,
Unfortunately, the requirement to answer secret questions is a security feature that is controlled with the same functionality that allows users to reset their passwords themselves, and is a needed piece of making sure the user trying to reset their password is the actual owner of the account. I don't think that is something we would be looking to remove from the password reset process at current.
But with the other pieces here, I'll go ahead and get your request over to our product team for their review. If we have any follow up questions, we'll be sure to reach out here, or through a ticket.
0 -
ok thanks for the update.
I am afraid I do disagee on your answer a little, as it is up to each organisation to decide if such a thing is needed in their security approach and how they declare the safety of their infrastructure to their own auditors, so I do not think it should be something dictated by your product but instead provided as an option in your product.
I rely on you more for your security protocols compliance rather than decisions on how I should manage users. We will likely just get people continuing to contact us because they cannot remember their secret questions.
But regardless, thank you for taking a look at it. It is a slight irritation in a product that has many features simply not available elsewhere.0
Please sign in to leave a comment.
Comments
3 comments