You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Feature Request: LFDS Password reset by email and modified verbiage

Laserfiche Directory Server Version 11 Feature Ideas
Updated April 4, 2022
posted on April 4, 2022 Show version history

Hello,

We have a couple different systems/processes where we create Laserfiche User accounts in LFDS for external users to log into things like WebLink or Laserfiche Forms.

One of the most common "issues" is that users will contact us saying that the password reset link isn't being sent to them and from what I can tell this is happening because of user error; they try entering their email address rather than their actual username, type it wrong, etc.

What further complicates things is that after you enter a login or email on the password reset page, you see the "An email has been sent to your account." message even if you entered invalid information.

This creates a lot of confusion for our external users so I've modified the STS pages for our external site to try and add some clarification, but I have to re-do those changes whenever we update.

I think it would be beneficial to make a couple of changes to the behavior:

 

1) Allow passwords to be reset with username OR email address.

This is a fairly common option which is why I think people tend to default to their email and it would be helpful if LFDS would just send the reset link and a reminder of the actual login name as long as the email they enter is associated with a valid account.

EDIT: As Samuel Carson points out below, this may not be the ideal solution because, with good reason, the system does not enforce uniqueness on the email address tied to LFDS accounts meaning you can easily have a 1:many on reverse lookups.

 

2) Change the message displayed after requesting a password reset.

The current message can give the implication that it is always successful and that there must be some other issue at play when what really happened is that they entered a bad username from the start.

Updating the verbiage to clarify that a link will only be sent if a valid account is found could help alleviate that to some degree since some people even sent in a screenshot of that to backup up their claim of "see it said it worked but I never got the email"

Really it could go either way on this one because some sites/apps will tell you upfront if there's no account matching what you enter which can be helpful but would probably require attempt limits to prevent account testing. Other sites/apps will simply show an "if the information is valid..." kind of message without confirming on way or the other, which leaves the users a little unsure but is the more secure approach.

0 0
replied on April 4, 2022

Hi Jason,

I went ahead and filed feature request "DS-I-67" for this. Note that we don't show a prompt saying that password reset failed for a non-existent user for security reasons, but we could implement safeguards to allow incorrect username/email feedback in the future as you mentioned.

1 0
View 1 previous reply
replied on April 4, 2022

I completely understand. Even telling someone that an account doesn't exist can inadvertently help attackers who are testing for a valid account.

I think the ability to reset by entering the account's email rather than just the login would be the more important/beneficial feature overall.

1 0
replied on April 4, 2022

To the best of my knowledge, LFDS does not enforce uniqueness checks/1:1 relationships between usernames and emails. It's not uncommon for, say, multiple service accounts to all have a shared inbox like "it-admins@example.com" as their email address. I'd be hesitant to have a reverse lookup on email that could be 1:many for password resets.

Jason/Chase, thoughts?

2 0
replied on April 4, 2022

@████████ that is is very good point and something I hadn't considered.

I do actually have a few service accounts that share an email address so I can see where the reverse lookup could cause issues.

Is there any chance we could just make logins that are email addresses for non-LDAP users since that would also address the confusion?

I'm not sure what other implications that might have, but if we could let external users log in with an email address, it would make life easier for everyone involved.

Currently, you can't use the @ symbol in a Laserfiche username, and I can understand why there would be reasons for that limitation, but if there's a way to mitigate that it could be worthwhile.

The end goal is to make things easier on our external users and avoid confusion over username vs email so anything that accomplishes that would be helpful.

0 0
replied on April 4, 2022

@████████  Good catch, that is true.

Maybe we could parse the reset requests to make sure no invalid characters are being used, and remind the user to enter their username. I don't think we want to expand the username character set at this time.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...