Applies To:

GroupID 8 and above - Password Center

Business Scenario:

Using GroupID Password Center, enrolled users can reset their forgotten passwords and unlock their identity store accounts after authenticating themselves on the basis of information they provided at the time of enrollment. Users can authenticate themselves by Security Questions, SMS Verification, Email Verification, Google/Microsoft Authenticator, Link Account, Phone ID (GroupID Phone app), YubiKey, or Windows Hello.

What If a user has ignored notifications and did not enroll in GroupID. How can this user reset his or her password or unlock his or her account?


Second Way Authentication (SWA) will come to the rescue here. SWA is an alternate authentication method for un-enrolled users. This feature allows un-enrolled users to authenticate themselves on a Password Center portal in any of the following ways:

  • Security Questions – The administrator specifies a set of security questions and links a schema attribute with each of them. On the Password Center portal, the answer provided by a user for a question is matched to the value of the linked attribute in the directory. When answers to all questions match, authentication is successful and the user can perform the required action in the Password Center portal.
  • Mobile - A code is sent to the user's mobile phone number. This number is fetched from a directory attribute. To authenticate, the user has to re-enter the code in the Password Center portal.
  • Email - A code is sent to the user's email address. This address is fetched from a directory attribute. To authenticate, the user has to re-enter the code in the Password Center portal.

Steps to Enable SWA:

SWA is disabled by default when a new identity store is created. The administrator has to enable it before un-enrolled users can benefit from it.

In this article, we will set up Second Factor Authentication using the 'employeeID' attribute for Security Questions.

  1. In GroupID Management Console, select the Identity Stores node.
  2. On the Identity Stores tab, double-click an identity store to open its properties.
  3. On the Configurations tab, select Second Way Authentication in the left pane.

  4. Select the Enable Second Way Authentication via Security Question check box and click the Add button.
  5. On the New Question dialog box, specify a question and select the employeeID attribute. Click OK.
  6. Click Apply and then OK.

Now when an un-enrolled user tries to reset his or her password on the Password Center portal, he or she will be required to authenticate via SWA. On authenticating, the user is directed to enroll his or her account in GroupID. This ensures SWA can only be used once in the lifetime of a user.


GroupID Online Help topic: Second Way Authentication - SWA