Password reset

Pointsharp Password Reset provides the possibility to reset the Pointsharp Password or domain password of a user’s account. The Password Reset can be configured to require a two-factor authentication to allow a user to reset their own password; this provides a secure option to publish a password reset to users who are not connected to the corporate network.

If Pointsharp ID OATH tokens are used for authentication, they can also be used in the password reset flow.

Reply messages: Password Reset client is integrated into the User Portal, and its messages can be configured in the translation files of User Portal. If the messages are used by third party clients it is still possible to edit them directly in the configuration XML file PSID3.xml.

Pointsharp Password general

User flow

The user is challenged to enter username and a user attribute value.
The user attribute value received from the user is compared to the value stored on the user in User Storage on the attribute User Attribute.
If the value matches and the system is configured to challenge the user, the user is challenged for an OTP.
If the OTP Setting is set to None, no challenge for a valid OTP is performed and the user is directed to the next step.
If the OTP Setting is set to SMS, the OTP is sent to the user.
If the OTP Setting is set to OATH, the user is challenged to enter a OTP from an OATH token.
The user is asked to enter a new password.
If password challenge is enabled, the user is asked to enter the new password again.
Pointsharp ID resets the user’s password in Pointsharp Password.

An authentication method named PR_INTERNAL_PP is added to the system when enabling Password Reset. This method is exposing the Password Reset functionality as an authentication method as a RADIUS listener. To disable the RADIUS interface, just remove the authentication method.

Password Reset is configured both in Pointsharp Server, and on the IIS holding the Web portal.

Parameter	Description
Enabled	Check this to enable Password Reset.
Password Challenge	Check this to enable password challenge, i.e. the user is challenged to enter the new password a second time.
Timeout	Set the timeout in minutes; time interval until the user session is invalidated. A user is not allowed to start a password reset before this time has expired, default set to 15 minutes. This is to avoid Denial-Of-Service attacks.
Unlock Pointsharp Account	Check this to unlock the Pointsharp accounts that are locked or time-locked when performing Password Reset. Default this is set to true.
Initial challenge	The initial challenge is where the user needs to provide knowledge of a value associated with the user in the system.
User Attribute	Set this to the user attribute stored on the user in User Storage which the user must enter at the first initial challenge. I.e. the user starts the Password Reset process by entering the username and the value of this user attribute', and if it is correct the next step in the Password Reset process follows. Default this is set to mobile.
Require Exact Length	Check this to only allow the exact match (case-insensitive) of the user attribute. Default this is set to false.
Match Ending Characters	The number of characters from the end of the user attribute that needs to match the end of given value from user input to result in a match. Default this is set to 4.

Parameter

Description

Enabled

Check this to enable Password Reset.

Password Challenge

Check this to enable password challenge, i.e. the user is challenged to enter the new password a second time.

Timeout

Set the timeout in minutes; time interval until the user session is invalidated. A user is not allowed to start a password reset before this time has expired, default set to 15 minutes. This is to avoid Denial-Of-Service attacks.

Unlock Pointsharp Account

Check this to unlock the Pointsharp accounts that are locked or time-locked when performing Password Reset.

Default this is set to true.

Initial challenge

The initial challenge is where the user needs to provide knowledge of a value associated with the user in the system.

User Attribute

Set this to the user attribute stored on the user in User Storage which the user must enter at the first initial challenge. I.e. the user starts the Password Reset process by entering the username and the value of this user attribute', and if it is correct the next step in the Password Reset process follows.

Default this is set to mobile.

Require Exact Length

Check this to only allow the exact match (case-insensitive) of the user attribute. Default this is set to false.

Match Ending Characters

The number of characters from the end of the user attribute that needs to match the end of given value from user input to result in a match.

Default this is set to 4.

Pointsharp Password OTP Settings

Parameter	Description
OTP Setting	Select if the OTP challenged for is either sent on-demand by SMS, or OATH if the user should enter a valid OTP retrieved from an OATH token. Set to None in order to disable the challenge for a valid OTP.
OATH Window Size	Valid for OTP Setting = OATH The number of allowed non-synchronized OTPs of a token. If a token accidentally have been generating several OTPs, this window size will make Pointsharp ID try to synchronize the provided OTP with the current system. For example, if a token have been generating 21 OTPs since last usage, then Pointsharp ID will allow for this token to be synchronized, as long as the window size is larger than 20. Default: 25
OTP Attribute	The user attribute to retrieve destination address from, for example, the mobile phone number or the email address. Default this is set to mobile.
OTP Length	The length of the OTP in number of characters. Default this is set to 6.
OTP Alphabet	The alphabet characters are used when randomly generating the OTP to the user. For example, if the OTPs should only contain random 1’s, 2’s, a’s and b’s, then set the alphabet to "12ab". To increase the probability of an alphanumeric, add the alphanumerics repeated times. Note that some characters are close in design on low resolution screens (such as 1 and l, 0 and O). Default this is set to 234567892345678923456789abcdefghijkmnopqrstuvwxyz.
OTP Message	Set the message to use when distributing the OTP to the user. The {otp} is replaced with the OTP by Pointsharp ID and {username} is replaced with the username. Default this is set to: Hi {username}, here is the Pointsharp Password Reset code {otp}..
Primary Notification	Select notification method to distribute the OTP to the user.
Secondary Notification	Select notification method to distribute the OTP to the user, if the primary notification reports any errors.
OATH Failover	Enable this to allow users to enter a valid OATH OTP as backup of the sent SMS.

Parameter

Description

OTP Setting

Select if the OTP challenged for is either sent on-demand by SMS, or OATH if the user should enter a valid OTP retrieved from an OATH token. Set to None in order to disable the challenge for a valid OTP.

OATH Window Size

Valid for OTP Setting = OATH

The number of allowed non-synchronized OTPs of a token. If a token accidentally have been generating several OTPs, this window size will make Pointsharp ID try to synchronize the provided OTP with the current system. For example, if a token have been generating 21 OTPs since last usage, then Pointsharp ID will allow for this token to be synchronized, as long as the window size is larger than 20.

Default: 25

OTP Attribute

The user attribute to retrieve destination address from, for example, the mobile phone number or the email address.

Default this is set to mobile.

OTP Length

The length of the OTP in number of characters.

Default this is set to 6.

OTP Alphabet

The alphabet characters are used when randomly generating the OTP to the user. For example, if the OTPs should only contain random 1’s, 2’s, a’s and b’s, then set the alphabet to "12ab". To increase the probability of an alphanumeric, add the alphanumerics repeated times. Note that some characters are close in design on low resolution screens (such as 1 and l, 0 and O).

Default this is set to 234567892345678923456789abcdefghijkmnopqrstuvwxyz.

OTP Message

Set the message to use when distributing the OTP to the user. The {otp} is replaced with the OTP by Pointsharp ID and {username} is replaced with the username.

Default this is set to: Hi {username}, here is the Pointsharp Password Reset code {otp}..

Primary Notification

Select notification method to distribute the OTP to the user.

Secondary Notification

Select notification method to distribute the OTP to the user, if the primary notification reports any errors.

OATH Failover

Enable this to allow users to enter a valid OATH OTP as backup of the sent SMS.

Windows Domain General

Pointsharp Password Reset offers users the ability to reset their Directory password.

User flow

The user is challenged to enter username and a user attribute value.
The user attribute value received from the user is compared to the value stored on the user in User Storage on the attribute User Attribute.
If the value matches and the system is configured to challenge the user, the user is challenged for an OTP.
If the OTP Setting is set to None, no challenge for a valid OTP is performed and the user is directed to the next step.
If the OTP Setting is set to SMS, the OTP is sent to the user.
If the OTP Setting is set to OATH, the user is challenged to enter a OTP from an OATH token.
The user is asked to enter the new password.
If password challenge is enabled, the user is asked to enter the new password again.
Pointsharp ID resets the user’s password in the Directory.

An authentication method named PR_INTERNAL_WD is added to the system when enabling Password Reset. This method is exposing the Password Reset functionality as an authentication method as a RADIUS listener. To disable the RADIUS interface, just remove the authentication method.

The User Storage that hosts the users admitted to reset their passwords, must be configured for LDAP over SSL including a hostname matching the server certificate Subject Common Name.

Parameter	Description
Enabled	Pointsharp Password Reset offers users the ability to reset Windows Domain passwords.
Password Challenge	Check this to enable password challenge, i.e. the user is challenged to enter the new password a second time. Default this is enabled.
Timeout	Set the timeout in minutes; time interval until the user session is invalidated. A user is not allowed to start a password reset before this time has expired, default set to 15 minutes. This is to avoid Denial-Of-Service attacks.
Unlock Pointsharp Account	Check this to unlock the Pointsharp accounts that are locked or time-locked when performing Password Reset. Default this is set to true.
Unlock Windows Account	Check this to unlock the Windows Domain accounts that are locked out when performing Password Reset. Default this is set to true.
Initial challenge	The initial challenge is where the user needs to provide knowledge of a value associated with the user in the system.
User Attribute	Set this to the user attribute stored on the user in User Storage which the user must enter at the first initial challenge. I.e. the user starts the Password Reset process by entering the username and the value of this user attribute, and if it is correct the next step in the Password Reset process follows. Default this is set to mobile.
Require Exact Length	Check this to only allow the exact match (case-insensitive) of the user attribute. Default this is set to false.
Match Ending Characters	The number of characters from the end of the user attribute that needs to match the end of given value from user input to result in a match. Default this is set to 4.

Parameter

Description

Enabled

Pointsharp Password Reset offers users the ability to reset Windows Domain passwords.

Password Challenge

Check this to enable password challenge, i.e. the user is challenged to enter the new password a second time.

Default this is enabled.

Timeout

Unlock Pointsharp Account

Check this to unlock the Pointsharp accounts that are locked or time-locked when performing Password Reset.

Default this is set to true.

Unlock Windows Account

Check this to unlock the Windows Domain accounts that are locked out when performing Password Reset.

Default this is set to true.

Initial challenge

The initial challenge is where the user needs to provide knowledge of a value associated with the user in the system.

User Attribute

Set this to the user attribute stored on the user in User Storage which the user must enter at the first initial challenge. I.e. the user starts the Password Reset process by entering the username and the value of this user attribute, and if it is correct the next step in the Password Reset process follows.

Default this is set to mobile.

Require Exact Length

Check this to only allow the exact match (case-insensitive) of the user attribute. Default this is set to false.

Match Ending Characters

The number of characters from the end of the user attribute that needs to match the end of given value from user input to result in a match.

Default this is set to 4.

Windows Domain OTP Settings

Parameter	Description
OTP Setting	Select if the OTP challenged for is either sent on-demand by SMS, or OATH if the user should enter a valid OTP retrieved from an OATH token. Set to None in order to disable the challenge for a valid OTP.
OATH Window Size	Valid for OTP Setting = OATH The number of allowed non-synchronized OTPs of a token. If a token accidentally have been generating several OTPs, this window size will make Pointsharp ID try to synchronize the provided OTP with the current system. For example, if a token have been generating 21 OTPs since last usage, then Pointsharp ID will allow for this token to be synchronized, as long as the window size is larger than 20. Default: 25
OTP Attribute	The user attribute to retrieve destination address from, for example, the mobile phone number or the email address. Default this is set to mobile.
OTP Length	The length of the OTP in number of characters. Default this is set to 6.
OTP Alphabet	The alphabet characters are used when randomly generating the OTP to the user. For example, if the OTPs should only contain random 1’s, 2’s, a’s and b’s, then set the alphabet to "12ab". To increase the probability of an alphanumeric, add the alphanumerics repeated times. Note that some characters are close in design on low resolution screens (such as 1 and l, 0 and O). Default this is set to 234567892345678923456789abcdefghijkmnopqrstuvwxyz.
OTP Message	Set the message to use when distributing the OTP to the user. The {otp} is replaced with the OTP by Pointsharp ID and {username} is replaced with the username. Default this is set to: Hi {username}, here is the Pointsharp Password Reset code {otp}..
Primary Notification	Select notification method to distribute the OTP to the user.
Secondary Notification	Select notification method to distribute the OTP to the user, if the primary notification reports any errors.
OATH Failover	Enable this to allow a user to enter a valid OATH OTP instead of entering the OTP sent by SMS.

Parameter

Description

OTP Setting

OATH Window Size

Valid for OTP Setting = OATH

Default: 25

OTP Attribute

The user attribute to retrieve destination address from, for example, the mobile phone number or the email address.

Default this is set to mobile.

OTP Length

The length of the OTP in number of characters.

Default this is set to 6.

OTP Alphabet

Default this is set to 234567892345678923456789abcdefghijkmnopqrstuvwxyz.

OTP Message

Set the message to use when distributing the OTP to the user. The {otp} is replaced with the OTP by Pointsharp ID and {username} is replaced with the username.

Default this is set to: Hi {username}, here is the Pointsharp Password Reset code {otp}..

Primary Notification

Select notification method to distribute the OTP to the user.

Secondary Notification

Select notification method to distribute the OTP to the user, if the primary notification reports any errors.

OATH Failover

Enable this to allow a user to enter a valid OATH OTP instead of entering the OTP sent by SMS.