Hi Nadun, On Mon, Jan 15, 2018 at 9:01 PM, Nadun De Silva <[email protected]> wrote:
> Hi all, > > I have started working on a Password Rotation Policy Authenticator for the > Identity Server. > > Currently, there is an authenticator [1] which can be used to force the > user to change the password. > > However, it does not support the following requirements on its own. > > - Force the user to change the password to a *previously unused > password* > - *Notify the user* when the password had expired > > Are we having the password expiration policy and password reset policy separately in this approach? IMO organizations should be able to configure password expiration policy or (password expiration policy + password reset policy) separately. Other than the last password, users shouldn't be always forced to avoid any password that has been used previously during the password rotation.* It should be an organizational decision. * According to my research, I found out that the *user can be forced to > change the password to a previously unused password using the Password > History Validation Policy* [2] and the authenticator [1]. However, the > authenticator does not show a proper message to the user. I am planning to > fix this. > > I have also started working on the *password expiry notifications*. The > planned approach that will be used is as follows, > > - Emit the password change event to analytics > - Use an analytic query to identify the user's whose passwords had > expired > > This approach was selected as this will have a minimal load on the > identity server instance as well as it will also open up the path to do > further analytics to identify anomalous user behaviors. > > Any suggestions or improvements are highly appreciated. > > [1] https://store.wso2.com/store/assets/isconnector/details/ > 502efeb1-cc59-4b62-a197-8c612797933c > [2] https://docs.wso2.com/display/IS530/Password+History+Validation > > Thank you! > > Regards, > NadunD > > -- > *Nadun De Silva* > Software Engineer | WSO2 > > Email: [email protected] > Mobile: +94778222607 <+94%2077%20822%202607> > Web: http://wso2.com > > <http://wso2.com/signature> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Prakhash Sivakumar Software Engineer | WSO2 Inc Platform Security Team Mobile : +94771510080 Blog : https://medium.com/@PrakhashS
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
