Self-service password reset is the process that allows users to reset their forgotten password by proving their identity through other means. Challenge answers or OTPs sent to mobile devices are the typical alternative methods of identification. Enrollment of these methods through PortalGuard is described below.
First the user attempts to login to their company’s existing portal as usual. PortalGuard intercepts the login attempt, validates the credentials, then checks if the user has enrolled their alternative methods (as defined in the PortalGuard security policies). If not, PortalGuard automatically displays the enrollment screen in “sidecar” mode. Depending on how the administrator has configured PortalGuard the end-user may be allowed to skip answering the enrollment questions or supplying their phone or email information temporarily. If this is the case the end-user will be allowed to continue as normal. If the administrator has configured a forced enrollment the user must perform enrollment before the original login is allowed to continue.
For challenge answers, the administrator is able to set the number of questions that are optional and the number of questions that are mandatory. The administrator is able to set specifications about the questions answers such as minimum length, case sensitivity, prevention of repetitive answers, and prevention of question words as answers. Challenge answers are cryptographically hashed and stored on a central server to support roaming users and prevent the need to re-enroll on multiple machines. For phone or email enrollment, the contact info and time of enrollment are also stored centrally.
Once the end-user has completed the enrollment, if the user forgets their password they will be prompted to either answer a subset of their challenge questions, provide an OTP sent to their mobile phone/alternative email address or both. Once they sufficiently prove their identity, they will then be allowed to reset their password which is subject to PortalGuard’s highly configurable password complexity rules.