Jump to content

GBS-IT

Members
  • Content Count

    3
  • Joined

  • Last visited

Everything posted by GBS-IT

  1. Hi, We currently present the Password Reset portal externally through an f5 and have brute force protection on PIN Validation attempts, on failure we (the f5) TRY to* (edit) inject CAPTCHA into the responses. But they don't work properly and are unusable. Now please excuse my ignorance of coding or web page development (I have no idea what the meaning of this is or what the impact is to the Password Rest Portal site\function). The f5 product development team have come back saying that their Single Page Architecture (SPA) features only supports Asynchronous AJAX requests. Their Response: The "Step 2:Verify" page triggers an AJAX request (/account/LoginTempPincode) when user submits a PIN Number after clicking the "Next" button. Following code also suggest request for "/account/LoginTempPincode" is AJAX synchronous request. =================================================== $.ajax({ url: "/account/LoginTempPincode", data: { Username: myUserID, PinNumber: myPinNumber, setPin: $('#mykey').val(), FirstName: $('#FirstName').val(), Surname: $('#Surname').val() }, dataType: "json", type: "POST", async: false, <<<<===================================== tweak this to true (i.e. asynchronous) success: function (data) { if (data.Success) { $msg.hide(); window.location.href = '/Account/Reset'; =================================================== Tweaking "async: false" to "async: true" is expected to address this specific issue.
  2. We have a scenario where most of our users (90%, i.e thousands ) using the password reset portal are using personal email accounts i.e gmail. Email changes occur quite frequently at the moment, and they are all using the email temp PIN policy. We notice this behavior: User has email address in AD User auto enrols into Temp PIN policy User Email changes in AD Windows service runs Users new email updates and changes in password state “Account Details” Users new email does not update in “verification methods” Is it possible to have a feature (maybe a tick box) that allows for the AD email fields to keep in sync with the verification method email address? This logic does may not work for standard office users if we wanted to expand it to them later on i.e. who have domain accounts. If it could be filtered to a security group that would be good. Cheers, Rob.
  3. Within the Password Reset Portal, when the user fails to reset their password due to either matching the black list or domain \ passwordstate password policy. Can the error message: 1) - stay on screen for longer i.e 30 seconds. At the moment it goes away after about 2-3 seconds 2) be specific for which policy it failed against. i) domain policy ii) passwordstate policy iii) Have I been Pwned API. Tested this works for all situations and the generic message you configure is the same. Thanks, Rob.
×
×
  • Create New...