FIM password reset through token

Experts,

I am working on FIM design.

Through documentation I see that FIM has capability to reset user password by providing challenge questions and answers.

My requirement is that if same can be done by providing some kind of soft token information.

User just provide soft token and FIM either allows user to reset password or send password on mobile.

Any suggestion please.

Thanks,
Mann

January 7th, 2014 3:03pm

With FIM2010R2 you are getting also an options for  e-mail or SMS delivered One-Time password as a password reset authentication gate. 
Free Windows Admin Tool Kit Click here and download it now
January 7th, 2014 3:29pm

Thake a look at this article for using OTP with eMail or SMS to implement SSPR.

http://technet.microsoft.com/en-us/library/hh824697(v=ws.10).aspx

Regards
Peter

January 7th, 2014 3:34pm

FIM SSPR doesn't presently support any means to use soft tokens (e.g., TOTP like Google Authenticator or Yubikey) as there are no hooks to generate/validate the PINs or store seed values.

That said, the SMS OTP challenge is somewhat analogous as passing the gate implies possession of the phone device.

Free Windows Admin Tool Kit Click here and download it now
January 8th, 2014 5:03am

Thanks All!

I have gone through article but could not get more information.

Putting my query again for better understanding.

I want to use SSPR feature of FIM but without providing challenge questions and answers.

User provide some soft token information (like generate by quicksharp, secured token) instead of answers to challenge questions and answers in order to get OTP over mobile or password reset screen.

Kindly suggest.

Thanks,

Mann

January 10th, 2014 9:08am

FIM SSPR can be configured without challenge questions, in which case the SMS and/or Email one-time password gates must be used.

There is currently no opportunity to use any other kinds of tokens with FIM SSPR.

Free Windows Admin Tool Kit Click here and download it now
January 10th, 2014 9:27am

Thanks Steve!

Let me try understanding more.

Suppose if I configure SMS one time password gate then process would be:-

1.  User clicks on forgot password

2. FIM sends OTP on mobile

3. user enter OTP on screen and then get password reset option

Am I correct?

Kindly suggest.

Thanks,

Mann

January 10th, 2014 4:18pm

Yes, that's exactly right.
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2014 5:13pm

Yes, that's exactly right.

January 10th, 2014 5:34pm

Thanks Steve!

You have answered my question and I have marked it as answer also :)

However this raises one query in my mind as it is not secure.

It is not asking for any information before sending OTP, this can be a huge security risk.

As I can try logging for some other user and system generate password for some other users?

Although I will not have access to other user's mobile/email but the damage is done.

Please suggest.

Thanks,

Mann

Free Windows Admin Tool Kit Click here and download it now
January 13th, 2014 5:40am

At the very least FIM SSPR will first ask for a username.  If the user initiates SSPR too many times without completing the process (e.g., FIM sends five SMS OTPs but the user never chooses a new password) then the SSPR Lockout Gate will apply.  So there is some built-in mitigation of an attacker trying to bombard a legitimate user with SSPR PINs.

In general it is a good practice to require the user to enter some kind of challenge question before the OTP gate.  Perhaps not as rigorous a set of questions if you're relying on OTP, but enough to serve as an initial screen.

January 13th, 2014 11:42am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics