On Tue, Jan 16, 2018 at 11:02 AM, Nadun De Silva <[email protected]> wrote:
> Hi Prakash, > > On Tue, Jan 16, 2018 at 9:49 AM, Prakhash Sivakumar <[email protected]> > wrote: > >> Hi Nadun, >> >> On Mon, Jan 15, 2018 at 9:01 PM, Nadun De Silva <[email protected]> wrote: >> >>> Hi all, >>> >>> I have started working on a Password Rotation Policy Authenticator for >>> the Identity Server. >>> >>> Currently, there is an authenticator [1] which can be used to force the >>> user to change the password. >>> >>> However, it does not support the following requirements on its own. >>> >>> - Force the user to change the password to a *previously unused >>> password* >>> - *Notify the user* when the password had expired >>> >>> >> Are we having the password expiration policy and password reset policy >> separately in this approach? >> >> We are having the expiration policy and the reset policy separately. > > 1. The *reset policy* is implemented in the Identity Server itself > using the *password history validation *[1] > <https://docs.wso2.com/display/IS530/Password+History+Validation> (The > authenticator does not show a proper message to the user since there is no > way to separately identify this exception in the current implementation. > Hence it needs to be subclassed or an error code needs to be added as > suggested by RuwanA) > 2. The *expiration policy* is implemented in the *password rotation > policy authenticator* [2] > > <https://store.wso2.com/store/assets/isconnector/details/502efeb1-cc59-4b62-a197-8c612797933c> > > > >> IMO organizations should be able to configure password expiration policy >> or (password expiration policy + password reset policy) separately. Other >> than the last password, users shouldn't be always forced to avoid any >> password that has been used previously during the password rotation.* It >> should be an organizational decision. * >> >> The current plan is to use the *pasword history validation* [1] > <https://docs.wso2.com/display/IS530/Password+History+Validation> in the > Identity Server itself, which allows the *Identity Server Admin* to *configure > the number passwords from the history* that should be considered in the *reset > policy*. Therefore based on the Admin's preferences, he/she can configure > it to use either the last password or several passwords from the history. > +1, Thanks for the explaination. > > [1] https://docs.wso2.com/display/IS530/Password+History+Validation > [2] https://store.wso2.com/store/assets/isconnector/details/ > 502efeb1-cc59-4b62-a197-8c612797933c > >> >> According to my research, I found out that the *user can be forced to >>> change the password to a previously unused password using the Password >>> History Validation Policy* [2] and the authenticator [1]. However, the >>> authenticator does not show a proper message to the user. I am planning to >>> fix this. >>> >>> I have also started working on the *password expiry notifications*. The >>> planned approach that will be used is as follows, >>> >>> - Emit the password change event to analytics >>> - Use an analytic query to identify the user's whose passwords had >>> expired >>> >>> This approach was selected as this will have a minimal load on the >>> identity server instance as well as it will also open up the path to do >>> further analytics to identify anomalous user behaviors. >>> >>> Any suggestions or improvements are highly appreciated. >>> >>> [1] https://store.wso2.com/store/assets/isconnector/details/ >>> 502efeb1-cc59-4b62-a197-8c612797933c >>> [2] https://docs.wso2.com/display/IS530/Password+History+Validation >>> >>> Thank you! >>> >>> Regards, >>> NadunD >>> >>> -- >>> *Nadun De Silva* >>> Software Engineer | WSO2 >>> >>> Email: [email protected] >>> Mobile: +94778222607 <+94%2077%20822%202607> >>> Web: http://wso2.com >>> >>> <http://wso2.com/signature> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Prakhash Sivakumar >> Software Engineer | WSO2 Inc >> Platform Security Team >> Mobile : +94771510080 <+94%2077%20151%200080> >> Blog : https://medium.com/@PrakhashS >> > > > > -- > *Nadun De Silva* > Software Engineer | WSO2 > > Email: [email protected] > Mobile: +94778222607 <+94%2077%20822%202607> > Web: http://wso2.com > > <http://wso2.com/signature> > -- Prakhash Sivakumar Software Engineer | WSO2 Inc Platform Security Team Mobile : +94771510080 Blog : https://medium.com/@PrakhashS
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
