FIM password reset through token
Experts,
I am working on FIM design.
Through documentation I see that FIM has capability to reset user password by providing challenge questions and answers.
My requirement is that if same can be done by providing some kind of soft token information.
User just provide soft token and FIM either allows user to reset password or send password on mobile.
Any suggestion please.
Thanks,
Mann
January 7th, 2014 3:03pm
With FIM2010R2 you are getting also an options for e-mail or SMS delivered One-Time password as a password reset authentication gate.
January 7th, 2014 3:29pm
FIM SSPR doesn't presently support any means to use soft tokens (e.g., TOTP like Google Authenticator or Yubikey) as there are no hooks to generate/validate the PINs or store seed values.
That said, the SMS OTP challenge is somewhat analogous as passing the gate implies possession of the phone device.
January 8th, 2014 5:03am
Thanks All!
I have gone through article but could not get more information.
Putting my query again for better understanding.
I want to use SSPR feature of FIM but without providing challenge questions and answers.
User provide some soft token information (like generate by quicksharp, secured token) instead of answers to challenge questions and answers in order to get OTP over mobile or password reset screen.
Kindly suggest.
Thanks,
Mann
January 10th, 2014 9:08am
FIM SSPR can be configured without challenge questions, in which case the SMS and/or Email one-time password gates must be used.
There is currently no opportunity to use any other kinds of tokens with FIM SSPR.
January 10th, 2014 9:27am
Thanks Steve!
Let me try understanding more.
Suppose if I configure SMS one time password gate then process would be:-
1. User clicks on forgot password
2. FIM sends OTP on mobile
3. user enter OTP on screen and then get password reset option
Am I correct?
Kindly suggest.
Thanks,
Mann
January 10th, 2014 4:18pm
Yes, that's exactly right.
January 10th, 2014 5:13pm
Yes, that's exactly right.
January 10th, 2014 5:34pm
Thanks Steve!
You have answered my question and I have marked it as answer also :)
However this raises one query in my mind as it is not secure.
It is not asking for any information before sending OTP, this can be a huge security risk.
As I can try logging for some other user and system generate password for some other users?
Although I will not have access to other user's mobile/email but the damage is done.
Please suggest.
Thanks,
Mann
January 13th, 2014 5:40am
At the very least FIM SSPR will first ask for a username. If the user initiates SSPR too many times without completing the process (e.g., FIM sends five SMS OTPs but the user never chooses a new password) then the SSPR Lockout Gate will apply. So
there is some built-in mitigation of an attacker trying to bombard a legitimate user with SSPR PINs.
In general it is a good practice to require the user to enter some kind of challenge question before the OTP gate. Perhaps not as rigorous a set of questions if you're relying on OTP, but enough to serve as an initial screen.
January 13th, 2014 11:42am