GroupID 8.x - Password Center
Using GroupID Password Center, enrolled users can reset their forgotten passwords and unlock their identity store accounts after authenticating themselves on the basis of information they provided at the time of enrollment. Users can authenticate themselves by Security Questions, SMS Verification, Email Verification, Google/Microsoft Authenticator, Link Account, Phone ID (GroupID Phone app) or YubiKey.
What If a user has ignored notifications and did not enroll in GroupID. How can this user reset his or her password or unlock his or her account?
Second Way Authentication (SWA) will come to the rescue here. SWA is an alternate authentication method for unenrolled users. This feature allows unenrolled users to authenticate themselves on a Password Center portal in any of the following ways:
- Security Questions – Security Questions use certain schema attributes for authenticating users. The response provided by a user for an attribute is matched to the value of that attribute in the identity store. If answers for all questions match, authentication is successful and the user can perform the required action on the Password Center portal.
- Mobile - A code is sent to the user's mobile phone number. This number is fetched from a directory attribute. To authenticate, the user has to re-enter the code in the Password Center portal.
- Email - A code is sent to the user's email address. This address is fetched from a directory attribute. To authenticate, the user has to re-enter the code in the Password Center portal.
In this article, we will set up Second Factor Authentication using the 'employeeID' attribute for Security Questions. Unenrolled users would have to provide their Employee ID number and the Password Center portal will match the answer with the value stored in the attribute to authenticate a user. The user would then be able to carry out the required task on the Password Center portal.
When setting up SWA via Security Questions, the administrator specifies a set of security questions along with associating a schema attribute with each of them. On the Password Center portal, the answer provided by a user for a question is matched to the value of that attribute in the directory. If answers to all questions match, the authentication will be successful and the requested action will be carried out.
SWA is disabled by default when a new identity store is created. The administrator has to enable it before unenrolled users can benefit from it.
To enable SWA:
- In GroupID Management Console, select the Identity Stores node.
- On the Identity Stores tab, double-click an identity store to open its properties.
- On the Configurations tab, select Second Way Authentication in the left pane.
- Select the Enable Second Way Authentication via Security Question check box and click the Add button.
- On the New Question dialog box, specify a question and select the employeeID attribute. Click OK.
- Click Apply.
Now when an unenrolled user tries to reset his or her password on the Password Center portal, he or she will be required to authenticate via SWA. On authenticating, the users is directed to the enrollment process before he or she is allowed to reset his or her password. This ensures SWA can only be used once in the lifetime of a user.
GroupID Online Help topic: Second Way Authentication - SWA