Lock the Forgotten Password Reset or Forgotten User ID Task

Learn how to lock the Forgotten Password Reset or the Forgotten User ID task.
To secure the Forgotten Password Reset or Forgotten User ID task, you can limit the number of failed verification attempts a user makes. Once a user exceeds the failed attempt limit, the task locks, and the user can no longer access it.
You can determine what
Identity Manager
considers a failed verification attempt. The definition of a failed attempt may be strict, such as answering one verification question incorrectly, or more lenient to allow for mistakes, such as mis-typing an answer.
You can also configure
Identity Manager
to lock the Forgotten Password Reset or Forgotten User ID task after a specified number of successful verification attempts. This prevents users from using the Forgotten Password Reset or Forgotten User ID task instead of remembering login credentials.
This page contains the following topics:

Configure a Failed Attempt Limit

To configure
Identity Manager
to lock the Forgotten Password Reset or Forgotten User ID task after failed verification attempts:
  1. In the Identity Manager User Console, navigate to the
    Configure Forgotten Password Search
    Screen.
  2. Configure the criteria for verification failure, as needed:
    • Number of acceptable incorrect answers--The number of incorrect answers a user can provide before
      Identity Manager
      records a verification failure.
    • Verification page timeout--The amount of time a user has to answer all of the questions on a page.
      Verification page attempt limit--The number of times a user can attempt to answer the questions on a page.
      If only one question appears per page, the Verification page attempt limit is the number of times a user can try to answer that question.
    Specify 0 for the options that do not apply.
    If a user exceeds any of the specified criteria,
    Identity Manager
    records a verification failure.
  3. In the Failed Attempt Limit field, enter the number of consecutive times a user can fail the verification process before they are locked out of the task.
    Identity Manager
    locks the user out of the task, and optionally disables the user’s account, if the user attempts to verify his identity when the Failed Attempt Limit has been reached. For example, if the failed attempt limit is 3, the user is locked and disabled on the third failed attempt.
  4. Select the Disable User check box to disable a user’s account in addition to locking the task when the failed attempt limit is exceeded.
  5. In the Failed Attempt Lockout Length field, enter the length of time that a user is locked out of the task if they exceed the failed attempt limit.
    You can specify minutes, hours, and days. To indicate that a particular limit does not apply, enter 0.
    The attribute that you specify must be defined in the directory configuration file (directory.xml) for the
    Identity Manager
    environment.
  6. Select the attribute that
    Identity Manager
    uses to track verification attempts in the Attempt Tracking Attribute field.

Configure a Successful Attempt Limit

Limiting the number of successful verification attempts prevents users from misusing the Forgotten Password Reset or Forgotten User ID task. For example, a user may rely on the Forgotten Password Reset task to reset a password instead of having to remember a password that conforms to a strict password policy.
To limit successful verification attempts:
  1. In the Identity Manager User Console, navigate to the
    Configure Forgotten Password Search
    Screen.
  2. Select the attribute that
    Identity Manager
    uses to track verification attempts in the Attempt Tracking Attribute field.
  3. Enter the number of days that users must wait before using the task in the Successful Attempt Limit field.

Configure Allowed Disabled Reasons

A user password is disabled when the password does not meet the configured password policy. A user can initiate the
Forgotten Password
task from the login page only when an administrator configures the password-disabled states in the Identity Manager User Console.
Follow these steps:
  1. In the Identity Manager User Console, navigate to the
    Configure Forgotten Password Search
    screen.
  2. In the
    Limits and Actions
    section, configure the password-disabled states in the
    Allowed Disabled Reasons
    field:
    • Disabled due to an extended inactivity
      %Enabled_State% = 4
    • Disabled due to too many failed logins
      %Enabled_State% = 2
    • Disabled due to an expired password
      %Enabled_State% = 8
    • Disabled by Administrator
      %Enabled_State% = 1
    • The password must change
      %Enabled_State% = 16777216