Assisted Password Reset
Assisted Password Reset is a feature of the Mideye Server, in which users are able to reset their passwords through a web portal created by the Mideye Server. The Assisted Password Reset process requires the usage of a Assisted Login Profile and LDAPS to work.
Create a new Password Reset portal¶
Navigate to 'External Endpoints' and click on 'Password Reset Endpoints'. Click on the 'Add new Password Reset Endpoint...' button and the configuration menu should be shown.
General Settings¶
- Assign a friendly name to the endpoint.
- Insert the generated 'reCAPTCHA site key'.
Optional - Insert the generated 'reCAPTCHA secret key'.
Optional - Set the text that should be presented to the user during the password reset process to advice the user about the process.
- Assign a name that will make it clear in the logs of what the process was about.
- Max amount of OTPs that can be delivered within a 1 minute time frame, per mobile number.
- Max amount of OTPs that can be delivered within a 30 minute time frame, per mobile number.
- Total amount of API calls that can be made within a 1 second time frame. Adjust this if the system is starting to run inefficiently due to the amount of API calls.
Note
Insert a reCAPTCHA site key and secret key if you wish to include CAPTCHA challenges in your Password Reset process. This is a optional feature and is not required to make the password reset process work. To read more about the reCAPTCHA, please refer to reCAPTCHA Enterprise for more details.
Account and Assisted Login Settings¶
- Select the Assisted Login Profile you wish to use that contains the correct approvers whom are able to approve the correct users.
- Enable 'Use Mideye Database' if you wish to use DB users for approvals and user password resets.
- Specify which LDAP profile(s) to search for user accounts. Note that the corresponding LDAP service account needs be flagged for password reset in the ADUC, in order for the password reset process to work.
Session Settings¶
Everything under 'Session Settings' is related to the password reset process itself, e.g. what messages are presented to the user and approver and what timeouts should be applied.
Some important timeout limits to keep in mind however:
- Session timeout is set to 10 minutes by default.
Max: 1440 minutes - Default OTP length is 8.
Max length: 10 - Touch delivery timeout is set to 10 seconds by default.
Max: 600 seconds - Approver touch response timeout default is 30 seconds.
Max: 30 seconds
End-user Experience¶
To start the password reset process, start with providing the 'Password Reset Portal URL' to the user that wishes to reset the password:
The user will arrive at this page where they are instructed to provide their username to start the reset process:
Afterwards the Mideye Server will ask for an OTP to confirm that it is the correct user that wants to reset their password:
Once the user has provided a valid OTP, the approver page will be presented to them. Here, the correct approver should be selected, followed by answering the optional questions:
Once the approver has approved the user to continue with the password reset process, the user will set the new password in the password fields:
Once the 'Change Password' button is pressed, a message confirming that the password has been changed will show up on the screen:
Configure reCAPTCHA for password reset portal¶
Password reset page in Mideye server (https://{domain}/auth/reset-password) can be protected by Google reCAPTCHA technology. To use reCAPTCHA in the password reset process, it needs to be configured on Google’s reCAPTCHA admin dashboard and the obtained ‘site key’ and ‘secret key’ must be copied to Mideye Server’s password reset configuration.
Google reCAPATCHA is free up to one million requests per month, check the link below for more info:
Comparison of features between reCAPTCHA versions | reCAPTCHA Enterprise | Google Cloud
When reCAPTCHA is not configured, a user can start the password reset process by entering their username. The only protection in this case would be the Mideye OTP spam protection that limits the number of OTPs sent to the user’s mobile number within two time windows - the default configuration limits the number of OTP deliveries to 5 per minute and 30 per hour.
How to configure reCAPTCHA on Google¶
- Start by going to Google's reCAPTCHA portal.
- Once there, specify the following:
- Label
- Type (Select reCAPTCHA V2)
- Domains
- Accept the reCAPTCHA terms of service.
- Send alerts to owners.
Optional - Click on 'Submit'.
Once redirected, copy the site key and the server key. Paste these into the Mideye Server Password Reset Configuration page.
Password Reset flow with reCAPTCHA¶
Now after entering the username in the field, the user has to perform a reCAPTCHA check before proceeding:
Checking the box will start the reCAPTCHA process:
Once done, the 'Start' button will no longer be greyed out:
Setup LDAP service account for password reset in ADUC¶
To flag a LDAP service account for password reset in the ADUC, start with going to the Active Directory where the account is located.
From there, right click on the domain:
Click on 'Delegate Control' and the delegation control wizard will popup:
Click on 'Next' and then the 'Add' button, to look for and add the service account that needs to reset the password. In this example, the account is named 'Con CS. Sultant':
Click on 'Next' and on the 'Tasks to Delegate' screen, check the 'Reset user passwords and force password change at the next logon' box:
Click on 'Finish' and the user should now be flagged for password reset.
If needed, it is also possible to check the if the user has been flagged properly by doing the following:
- Enable 'Advanced' features by clicking on 'View' → 'Advanced features'.
- Right click on the domain, and click on 'Properties'.
- In the properties tab, click on 'Security' → 'Advanced'.
- Search for the user that was flagged earlier.
If the process has been made correctly, the user should have the tag 'Reset Password' in the 'Access' field.
