Skip to content

Password-based AuthN

Password-based authentication offers an easy way of authenticating users. In password authentication, the user must supply a password that is stored by Sequel Security Service. Password are stored hashed and have to follow a password policy.

Basic configuration

Password-based authentication can be enabled at appsettings.json in the authentication service: LoginSettings.IdentityProvidersSettings.Sequel.Enabled

Password policy

A password policy is a set of rules that govern how passwords are administered. Sequel Security service supports multiple password policies. The password policy can be partially configured to suit the security requirements at Security Rest API's appsettings.json file in the PasswordPolicySettings property.

Rule / Property Description Default
RequiredLength The minimum length of the password 6
RequiredUniqueChars Requires the number of distinct characters in the password. 5
RequireNonAlphanumeric Requires a non-alphanumeric character in the password. true
RequireLowercase Requires a lowercase character in the password. true
RequireUppercase Requires an uppercase character in the password. true
RequireDigit Requires a number between 0-9 in the password true
RequireUserNameCheck Requires password does not contain the first 3 characters of username, first name or last name true
ExpireAfterDays Expires the password and forces to set a new one. Applies to users where PasswordExpiryDateUtc is populated. 90
RequireDifferent Required new password must be different to previous one. This rule is not configurable and is always active. true

Password lockout policy

Password lockout policies are used to lockout an account when someone tries to log on unsuccessfully several times in a row. We can usually assume that a legitimate user might type his or her password incorrectly once or twice, but not numerous times. Thus, numerous failed login attempts can indicate that someone is trying a brute-force password attack. Password lockout is not configurable and is based on:

  • LockoutMaxAttempts: The account lockout threshold specifies the number of failed attempts at logon a user is allowed before the account is locked. This value is set to 3 attempts. After the threshold has been reached, the account will be locked out.
  • LockoutDuration: The account lockout duration specifies the time in minutes that the account can be locked out. This value is set to 5 minutes. A user account is locked when property LockoutEndDateUtc is populated and has a value in the future.

The password lockout counter is reset after a valid login.

The lockout policy is enabled by default for all users, however this can be disabled for some users setting LockoutEnabled to false at user's record.

Password expiration

When creating a new user, a date when a password will be expired will be set too. This value will be 90 days by default and may be changed in the appSettings.json of Authorization. If the date when the user is trying to log in is later than the expire date a message will be sent in the login UI, requesting the user to change the password. The default expiration days can be customized at appsettings.json in SecurityApi with the property PasswordPolicySettings.ExpireAfterDays.

Edit Expired Password User

An administrator user may change the expire date of an existing user by editing it in the edit drawer picking up a new date in the Date Picker. By default is not allowed to set a customized date when we create a user in Admin UI the default value will the one is set in the appsettings.

Forgot and reset password

The password reset option is defined outside of the scope of a logged-in user so that users who forgot their passwords could also reset their passwords. The reset password flow is based on a recovery email with a link that will kick off the password reset process. In this email the user receives a link that is valid for a short period of time; following this link the user will be able to reset his password.

The reset password is also the mechanism for providing a password to new users. There are two options:

  • Administrator user forces to send the reset email, or
  • User goes to login page an request to reset the password.

The reset password flow

authN-password-reset-flow.png

Kick-off

There are two methods for resetting a password:

Not logged users

Anyone can request a password reset without being logged. To reset the password:

Go to login page.

Click on Forgot Password?. The Reset Password ((/ForgotPassword)) page will be loaded.

At Reset Password page, introduce the user's email. Confirm the captcha if configured and click on Reset password.

authN-password-reset-logged-user.png

The Reset Password email confirmation page is always displayed:

  • if the emails does not exists; this is done to do not confirm to malicious users that this emails exists in the system.
  • if the email exists a notification is sent to the user associated to this email.

authN-password-reset-confirmation.png

Logged users

A logged user can reset his password from the MyAccount page (/MyAccount), clicking on Reset password. Once at Reset Password page, the process is the same for Not logged users.

authN-password-reset-logged-user.png

If user arrived to MyAccount page using the user's component from any application clicking on Manage account link the user will be redirected to de application after complete the process.

WebComponent

Administrator on behalf of any user

An administrator user can request a reset email for any user. For resetting the password of any user:

Go to Administration web site as an administrator

Go to Users page /users

Find the user that needs to reset his password.

Click on the contextual menu of this use and click on Reset Password option.

authN-password-reset-adminUI.png

Notification

There are two mechanism for handling the reset password:

Built-in recovery email

The user will be notified with an email that contains the link for actually resetting the password. There are some important configurations that will affect to this delivery system:

  • Send email support
    • Support for sending emails must be successfully done (at appsettings.json in Security API: SendEmailSettings property).
    • SendEmailSettings.SendForgotPasswordEmail is enabled.
    • The sender email address is defined at SendEmailSettings.ForgotPasswordFromEmail.
  • Email template. Email sent can be customized with below settings stored in the database at [configuration].[settings] table.
    • ForgotPasswordEmailSubjectTemplate: Defines the subject of the email.
    • ForgotPasswordEmailBodyTemplate: Defines the boy of the email.
    • Both properties offers three tags for defining:
      • First name: {user-firstname}.
      • Last name: {user-lastname}.
      • Link for resetting password: {url-resetpassword}.
Message bus notification

Also a message of type ForgotPassword is published into the bus notifying the event. This is meant to be used by other products or scenarios where the reset password flow must be customized; on those scenarios is probable that SendEmailSettings.SendForgotPasswordEmail will be switched off.

At some point, the user will receive the link for resetting the password. This link will be valid for a limited period of time.

User resets the password

When the user clicks on the link, if the link is still valid then the user wil be allowed to introduce his password that must follow the password policies.

User is redirected to caller application (optional)

When the user started the reset password process from an application that was passing the return URL; the user will be redirected to this URL is reset is completed with success.

reCAPTCHA

Reset password can be protected from automated abuse and attacks enabling reCAPTCHA. We are using Google's reCAPTCHA v2 system (https://www.google.com/recaptcha) and it is necessary for every installation to have their own captcha created and configured from Google's reCAPTCHA admin console; please check the Security Installation Guide for more details.