Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Credential store

Password management

search

Password management

The OneWelcome Identity Platform stores passwords in the credential store, which is located in the cloud as part of the identity and access core (IDAAS). When users log in using a password, the password is validated against the credential store.

The OneWelcome Identity Platform provides several password management interfaces to manage the registration and activation processes, and to change, set, and reset passwords.

Password policies

Password policies define the password requirements for your users.

The OneWelcome Identity Platform supports password policies that are considered commonly-accepted best practices. When commonly-accepted password policies are not considered sufficiently secure, you can use two-factor authentication (2FA) to enhance security.

Changing the password policy does not trigger a password migration process. Instead, the new password policy is applied whenever a user sets a new password.

Password complexity

The OneWelcome Identity Platform applies industry standard password rules that are considered best practices by commonly-used identity stores. It rejects passwords that include the username or that are the same as the formattedName.

The OneWelcome Identity Platform can enforce any combination of the following password complexity rules:

  • Length: Specify a minimum and maximum password length. NIST Digital Identity Guidelines recommend a minimum length of at least eight characters.

  • Allowed characters: Configure whitelisted characters. Characters not on this whitelist cannot be part of a password. The OneWelcome Identity Platform supports the following character sets for passwords:

    • special characters
    • uppercase characters
    • lowercase characters
    • digits

    It is a best practice to not allow spaces in passwords, although the OneWelcome Identity Platform supports passwords that contain spaces.

  • Required characters: (Optional) Require characters from a character set, such as special characters or digits. You can configure the following optional rules as needed:

  • Minimum character requirements: (Optional) Specify the minimum number of characters for each character set.

Password history

The password history policy determines the number of unique new passwords that a user account can have before an old password can be reused. For every user, the OneWelcome Identity Platform keeps a password history against which any new password is checked. For security purposes, passwords are stored in a hashed format.

Password reuse is an important concern in any organization, because many users want to reuse the same password for their account over a long period. The longer the same password is used for a user account, the greater the risk that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but they can reuse old passwords, the effectiveness of a good password policy is greatly reduced.

The password history policy includes the following settings:

  • Tenants: You can enable the password history for each tenant.

  • Password reuse: Users cannot reuse the last 10 passwords that they've used. This setting is configurable and defaults to 10.

  • Password history period: Users cannot reuse any password that was set during the last year. The password history period is set to one year by default.

  • Password history maximum: The password history maximum is 100 by default. After the maximum number of passwords are stored, the OneWelcome Identity Platform purges the oldest passwords.

Processes that enforce password rules

The OneWelcome Identity Platform applies the password rules during the following processes:

  • activation
  • password reset
  • password change

Password management with the SCIM API

The OneWelcome Identity Platform provides a SCIM API, which allows client applications to manage users and their passwords. You can use the SCIM API to provision the OneWelcome Identity Platform with identities. The SCIM API offers the following password management functionality:

  • POST method to create a new user and set the initial password.
  • PATCH and PUT methods to update an existing user's password.
  • Passwords can be submitted as plain text in the request body, but can also be submitted in a hashed format. OneWelcome supports various hashing algorithms.
  • The OneWelcome Identity Platform applies a password policy (complexity rules) when passwords are set or updated using the SCIM API.

The OneWelcome Identity Platform does not apply password rules on passwords that are set through the SCIM API. This allows SCIM clients to migrate users with weak passwords, and then the OneWelcome Identity Platform enforces stronger passwords when a password is changed. It is not possible to enforce a password policy when hashed passwords are submitted with the SCIM API.

Supported hashing algorithms

The OneWelcome Identity Platform supports the following hashing algorithms:

  • 3DES
  • AES
  • BASE64
  • BLOWFISH
  • CLEAR
  • CRYPT
  • MD5
  • PBKDF2
  • RC4
  • SHA
  • SMD5
  • SSHA
  • SSHA256
  • SSHA384
  • SSHA512
  • RSSHA1
  • RSMD5

User self-service

Users can set their password through various processes:

  • Registration process: When users subscribe for an account, they are asked to choose a password for their new account.

  • Activation processes: Various activation processes allow users to set their initial password. The processes differ in how they are triggered and which profile details the user must provide to activate their account.

  • Password change processes: Users replace their current password, and still know the current password. A user can choose to change their own password using the self-service page, or they can be triggered to change a password that is about to expire.

  • Password reset processes: Password reset processes allow users to reset forgotten passwords.

Password reset

You can configure the OneWelcome Identity Platform to use one of the following password reset mechanisms:

  • Password reset link in email.

  • Password reset link in email, and password reset code in SMS, when 2FA is enforced.

The OneWelcome Identity Platform does not support multiple password reset processes for one tenant or brand. The choice of the password reset process is determined by a static configuration and does not rely on user data or credentials.

The links that are used for password reset have the following characteristics:

  • They can be used only once (like a one-time password).

  • They expire after a configurable period.

Password guidelines

Whenever a user chooses a new password, the user interface displays a message that includes password guidelines:

  • list of password complexity rules, which depend on your configuration

  • the option to show the password

  • password confirmation, where the user re-enters their new password

The password messages does not include a password strength bar or a visual indicator that confirms when the password rules are met.

Password reset flow

The OneWelcome Identity Platform supports the following flow to reset a forgotten password:

  1. Request password reset: On the login page, users click the password reset link, and are directed to a form where they enter their email address or username.

  2. Authentication: After requesting a password reset, users must be authenticated without the forgotten password. Users receive the password reset email, and the password reset code in SMS, if configured.

  3. Execution of password reset: After successful authentication, users choose a new password by entering it twice. Users are immediately logged in at the end of the password reset process.

Password expiry

Password expiry is a common practice, particularly for employee accounts and to a lesser extent, for consumer accounts. You can enable password for each segment.

You can configure the password validity period. The default password validity period is 183 days. Some users might log in to their account only a few times per year, so if the validity period is short, those users might use their password only a few times before it expires.

You can also configure the password expiry warning period, which is 14 days by default.

If a password doesn't have a start date, the OneWelcome Identity Platform uses the date of the most recent update to the user profile.

Note

Many security specialists (such as NIST ) don't value password expiry as a best practice. They consider that users tend to choose weaker memorized passwords when they know that they will have to change them in the near future. Therefore, avoid using password expiry for consumer accounts.

User experience for password expiry

When a user logs in with a password that is approaching expiration, they are prompted to change their password, with an option to skip the password reset and access their account. If they choose to change their password, they are directed to the password reset flow.

When a user logs in with a federated social account, the password they might have in the OneWelcome Identity Platform is not validated.

In case of 2FA, the password expiry message appears after the user enters their password, but before the second authentication step.

On this page