Idea Forum

Got a New Product or Feature Idea?
TELL US ABOUT IT!

Let's Start Collaborating!
Menu
Menu
Contact Product Support

AFFIRM - Account and Password Management

In an effort to make passwords more secure and aligned with industry standards, we include self-service tools to manage user names and passwords. The goal is to create stronger password security for those AFFIRM users not using SSO. Below is a description of the functions available to manage both passwords and usernames more effectively on the AFFIRM platform.

 

Login Page Design and Functionality Changes

The Login page includes three self-service features:

  • Reset Password button: Requires a valid user name and password combination. User will be redirected to change his/her password. The user will be required to re-enter the current password and create a new password that complies with the rules.
  • Forgot Password link: Requires a valid user name. User will be redirected and will be required to enter the email address associated with his/her account. The user will receive a temporary password only if the email provided matches the one on record.
  • Forgot User Name link: Does not require any input on the Login page. User will be redirected and will be required to enter the email address associated with his/her account(s). The user will receive an email only if the email provided matches the one on record with a list of user names.

 

Change Password Rules and Functionality

A user’s password will be required to be changed upon an attempt to login under the following circumstances:

  • Password has expired.
  • A temporary password has been issued.
  • The user clicks on the “Reset Password” button on the Login page.

The user will be redirected to change his/her password to the page shown below.

New Password Creation Requirements and Rules

There are several rules that apply when the user attempts to create his/her new password. The minimum requirements combination of characters is displayed on the screenshot above.

  • There is a minimum required length that the new password must have. This length is configurable and the length requirement will be displayed on the screen if the new password fails to meet this minimum.
  • The new password cannot have more than two identical consecutive characters, e.g. this is allowed “ff” but this is not “fff”.
  • If the new password is part of an optional configurable black list, you will be advised and must choose a different password.
  • Finally, the new password must not be one that was previously used. A more detailed explanation of password history control can be found further on this document.

Please refer to screenshots below showing all error messages accordingly.

Once the password has been successfully changed the user will be advised to login with the new credentials. Also, within minutes the user will receive an email notification, if an email address is on record, about the changed password action. Please refer to screenshots below.

 

 

Password Expiration Rules
A user’s password will be considered expired based on a calculated the date/time upon creation of a new password. If we have no record about expiration for the user, this means it is the first time this user is attempting to login since the password enhancement release and will be required to change the password. Temporary passwords will be treated as expired on their first attempt to be used and require the user to change it.

Password History Control
Previously used passwords for each user will be encrypted and stored. The number of passwords to keep stored is configurable and it is defined to be ten passwords if no configuration is found. The oldest password in the list will be eliminated every time the user changes his/her password to make room to store the former password.

User Account Provisioning
There are three cases when a user account will be provisioned:

  • A user has requested a change of password via the self-service feature “Forgot Password” link.
  • A new user account has been created.
  • A user’s password has been reset by Support.

On all a temporary randomly generated and will be sent via email.

When the user attempts to login with this temporary password the application will redirect the user to change his/her password right away.

When temporary passwords are issued they will be valid for a limited time frame. If the temporary has expired by the time the user attempts to login, then on the attempt to change the password the user will be advised to request a new password via “Forgot Password” link.

 

Forgot User Name
When the user clicks “Forgot User Name” link the user will be redirected to enter the email address associated with the user’s account(s). If the user enters a bad formatted email address or there are no user names associated with the email address in our system, the same message will display stating the email address is invalid. If a user name or multiple are found, then an email will be sent within minutes with the user name(s).


Reset Password
When the user clicks “Reset Password” button the user will be redirected to change his/her password provided that the user name and password combination was correct. At this point the user will have the ability to change the password if all conditions stated on sections “Change Password Rules and Functionality” and “New Password Creation Requirements and Rules” explained earlier on this document are met.

Forgot Password
When the user clicks on the “Forgot Password” link the user will be redirected to enter the email address associated with the user’s account. If the user enters a bad formatted email address, an email address that does not match our records or there is no email address in our records the same message will display stating the email address is invalid. If the user entered the correct email address, then an email will be sent with the temporary password. Please refer to screenshot below accordingly.


There is a limit to how often a user is allowed to change his/her password via self-service feature “Forgot Password” and “Reset Password” links. This limit is configurable and it is set to fifteen days’ default if no configuration is found.

The user will be advised with the message shown on the screenshot above. In this case the only way for the user to change his/her password is by calling Support.

New User Account Creation
When a new user is created by Support the user will receive two emails to the email address provided with the user name created and a temporary password.

When the user attempts to login with these credentials then the flow for “User Account Provisioning” explained earlier on this document will take effect.

Reset User Password by Support
When a user contacts support to have his/her password reset the email address on record will be verified and updated if needed and a temporary password will be sent within minutes.

Failed Login and Password Management Attempts
Failed attempts are tracked and once the maximum has been reached the user account will be locked out. A message will be displayed to the user and he/she will not have access to Affirm nor ability to reset his/her password via self-service tools. At this point the user should contact Support unless they are aware that their user account is setup for automatic auto unlock.

Definition of Failed Attempts
The following actions will add to the failed attempts counter:

  • Entering the wrong password in the Login page.
  • Entering an email address that does not match our records when requesting a password reset via “Forgot Password” link. Bad formatted email addresses will not be counted as a failed attempt. e.g. missing “@”, “.”
  • Entering the wrong Current Password on the “Current Password” field on the password change page.
  • Entering a password that is part of the password history list as your new password.
  • Attempting to login with an expired password, including an expired temporary password.

Account Locked Out and Auto Unlock
When the maximum failed attempts have been reached the account will be locked out. This will prevent access to Affirm as well as to the ability to request a new password using the “Forgot Password” and “Reset Password” links on the Login page. The account will remain locked out until the user contacts Support or the account auto unlocks itself.

The ability for an account to auto unlock is configurable and the decision to set this up will be based on client’s arrangement with their project managers. If approved and implemented, then the client and users will be provided with the mechanism details. A time frame will be established on their configuration and the ability to attempt to login and/or use password management self-service tools will be enabled after the time established has transpired even if the user remains on the same session.

Having trouble with your application? We’re here to help!

Contact Product Support
Site Contents

Products
Release Calendar
Knowledgebase

iPipeline

Company Website
Events
Blog
Contact Us

Get In Touch

Contact Support
Join Our Product Panel
Request Content

Customers

Register
Sign In
Reset Password

© Copyright iPipeline, Inc. All Rights Reserved. | Developed by Apis Productions