Access recovery#

Console settings#

Permissible attributes for search setting of the access recovery service defines the attributes by which the account will be searched.

With the Attributes for verification setting, you can define which attribute values the user must additionally enter during the password recovery process to validate account ownership. Adding such verification complicates the password reset attack via multiple brute force in the Forgot Password Recovery form. On the main page, the user will be prompted for attributes to match (e.g. last name) and recovery will only be performed if the account found has an identical attribute value.

The Verify that there are users who have permission to change password in the found account option specifies that if the found user has a related (“parental”) account authorized to change the password for this user, a warning will be displayed when attempting to recover the password.

Possible recovery access contacts setting defines attributes with contacts (email addresses and/or mobile phone numbers) that will be used to restore access. Attributes with contacts should be defined in the Data sources section as an email address and a mobile phone number.

Using the settings Total attempts` and Blocking time when attempts are exceeded, in min. you can limit the number of attempts to request sending and unsuccessful entry of confirmation codes sent by email and SMS for the account, if exceeded, the account will be temporarily restricted from password recovery.

Need for additional verification setting determines in which cases additional authentication should be performed during access recovery. Possible setting values:

  • Not required – no additional authentication required;

  • According to user settings in Profile – additional authentication is required if the user has enabled two-factor authentication for his account;

  • Always required – additional authentication is always required.

If additional authentication is required, then in the setting List of methods you can select the available authentication methods to confirm the recovery of access: confirmation of the code received by e-mail, SMS, using the code generated by the TOTP application, using the answer to the security question.

The Drop inactivity lock after restoring access setting specifies that password recovery is allowed for accounts locked out due to long-term inactivity, and that the long-term inactivity lockout should be canceled after password replacement as a result of successful recovery.

../_images/recovery_en.png

Form texts#

After defining the set of verification attributes, you must specify the corresponding texts in the access recovery form. To do this, use the standard algorithm. Add texts for the following lines:

  • recovery.page.verify.<attribute name>.label: name of the field for entering the attribute value;

  • recovery.page.verify.<attribute_name>.placeholder: text inside the field for entering the attribute value.

Example of setting texts for the phone_number and family_name attributes#
recovery.page.verify.phone_number.label=Mobile phone number
recovery.page.verify.phone_number.placeholder=Enter your phone number
recovery.page.verify.family_name.placeholder=Last name
recovery.page.verify.family_name.placeholder=Enter your last name