Hi Prakash, On Tue, Jan 16, 2018 at 9:49 AM, Prakhash Sivakumar <[email protected]> wrote:
> Hi Nadun, > > On Mon, Jan 15, 2018 at 9:01 PM, Nadun De Silva <[email protected]> wrote: > >> Hi all, >> >> I have started working on a Password Rotation Policy Authenticator for >> the Identity Server. >> >> Currently, there is an authenticator [1] which can be used to force the >> user to change the password. >> >> However, it does not support the following requirements on its own. >> >> - Force the user to change the password to a *previously unused >> password* >> - *Notify the user* when the password had expired >> >> > Are we having the password expiration policy and password reset policy > separately in this approach? > > We are having the expiration policy and the reset policy separately. 1. The *reset policy* is implemented in the Identity Server itself using the *password history validation *[1] <https://docs.wso2.com/display/IS530/Password+History+Validation> (The authenticator does not show a proper message to the user since there is no way to separately identify this exception in the current implementation. Hence it needs to be subclassed or an error code needs to be added as suggested by RuwanA) 2. The *expiration policy* is implemented in the *password rotation policy authenticator* [2] <https://store.wso2.com/store/assets/isconnector/details/502efeb1-cc59-4b62-a197-8c612797933c> > IMO organizations should be able to configure password expiration policy > or (password expiration policy + password reset policy) separately. Other > than the last password, users shouldn't be always forced to avoid any > password that has been used previously during the password rotation.* It > should be an organizational decision. * > > The current plan is to use the *pasword history validation* [1] <https://docs.wso2.com/display/IS530/Password+History+Validation> in the Identity Server itself, which allows the *Identity Server Admin* to *configure the number passwords from the history* that should be considered in the *reset policy*. Therefore based on the Admin's preferences, he/she can configure it to use either the last password or several passwords from the history. [1] https://docs.wso2.com/display/IS530/Password+History+Validation [2] https://store.wso2.com/store/assets/isconnector/details/ 502efeb1-cc59-4b62-a197-8c612797933c > > According to my research, I found out that the *user can be forced to >> change the password to a previously unused password using the Password >> History Validation Policy* [2] and the authenticator [1]. However, the >> authenticator does not show a proper message to the user. I am planning to >> fix this. >> >> I have also started working on the *password expiry notifications*. The >> planned approach that will be used is as follows, >> >> - Emit the password change event to analytics >> - Use an analytic query to identify the user's whose passwords had >> expired >> >> This approach was selected as this will have a minimal load on the >> identity server instance as well as it will also open up the path to do >> further analytics to identify anomalous user behaviors. >> >> Any suggestions or improvements are highly appreciated. >> >> [1] https://store.wso2.com/store/assets/isconnector/details/ >> 502efeb1-cc59-4b62-a197-8c612797933c >> [2] https://docs.wso2.com/display/IS530/Password+History+Validation >> >> Thank you! >> >> Regards, >> NadunD >> >> -- >> *Nadun De Silva* >> Software Engineer | WSO2 >> >> Email: [email protected] >> Mobile: +94778222607 <+94%2077%20822%202607> >> Web: http://wso2.com >> >> <http://wso2.com/signature> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Prakhash Sivakumar > Software Engineer | WSO2 Inc > Platform Security Team > Mobile : +94771510080 <+94%2077%20151%200080> > Blog : https://medium.com/@PrakhashS > -- *Nadun De Silva* Software Engineer | WSO2 Email: [email protected] Mobile: +94778222607 Web: http://wso2.com <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
