Lock the Forgotten Password Reset or Forgotten User ID Task
To secure the Forgotten Password Reset or Forgotten User ID task, you can limit the number of failed verification attempts a user makes. Once a user exceeds the failed attempt limit, the task locks, and the user can no longer access it.
cim1265
To secure the Forgotten Password Reset or Forgotten User ID task, you can limit the number of failed verification attempts a user makes. Once a user exceeds the failed attempt limit, the task locks, and the user can no longer access it.
You can determine what
Identity Manager
considers a failed verification attempt. The definition of a failed attempt may be very strict, such as answering one verification question incorrectly, or more lenient to allow for mistakes, such as mis-typing an answer.You can also configure
Identity Manager
to lock the Forgotten Password Reset or Forgotten User ID task after a specified number of successful verification attempts.This prevents users from using the Forgotten Password Reset or Forgotten User ID task instead of remembering login credentials.This page contains the following topics:
Configure a Failed Attempt Limit
To configure
Identity Manager
to lock the Forgotten Password Reset or Forgotten User ID task after failed verification attempts:- Navigate to the Configure Forgotten Password Search Screen, if necessary.
- Configure the criteria for verification failure, as needed:
- Number of acceptable incorrect answers--The number of incorrect answers a user can provide beforeIdentity Managerrecords a verification failure.
- Verification page timeout--The amount of time a user has to answer all of the questions on a page.Verification page attempt limit--The number of times a user can attempt to answer the questions on a page.If only one question appears per page, the Verification page attempt limit is the number of times a user can try to answer that question.
Specify 0 for the options that do not apply.If a user exceeds any of the specified criteria,Identity Managerrecords a verification failure. - In the Failed Attempt Limit field, enter the number of consecutive times a user can fail the verification process before they are locked out of the task.Identity Managerlocks the user out of the task, and optionally disables the user’s account, if the user attempts to verify his identity when the Failed Attempt Limit has been reached. For example, if the failed attempt limit is 3, the user is locked and disabled on the third failed attempt.
- Select the Disable User check box to disable a user’s account in addition to locking the task when the failed attempt limit is exceeded.
- In the Failed Attempt Lockout Length field, enter the length of time that a user is locked out of the task if they exceed the failed attempt limit.You can specify minutes, hours, and days. To indicate that a particular limit does not apply, enter 0.The attribute you specify must be defined in the directory configuration file (directory.xml) for theIdentity Managerenvironment.
- Select the attribute thatIdentity Managerwill use to track verification attempts in the Attempt Tracking Attribute field.
Configure a Successful Attempt Limit
Limiting the number of successful verification attempts prevents users from misusing the Forgotten Password Reset or Forgotten User ID task. For example, a user may rely on the Forgotten Password Reset task to reset a password instead of having to remember a password that conforms to a strict password policy.
To limit successful verification attempts:
- Navigate to the Configure Forgotten Password Search Screen, if necessary.
- Select the attribute thatIdentity Managerwill use to track verification attempts in the Attempt Tracking Attribute field.
- Enter the number of days that users must wait before using the task in the Successful Attempt Limit field.