Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-15 Thread Ayesha Dissanayaka 
Hi,

The actual requirement of this feature is that, administrators should be
able to enforce a password reset action for users before authenticating to
the system. [1] Explains the similar feature in IS-5.3.0.

Most of the confusions arises by calling this pass-code a OTP. Rather AFAIK
this is an admin generated passcode, not a password that a user can use to
authenticate to the system.
Once an admin initiate this flow for a particular user, then when someone
tries to login to system with accounts current password, he isn't get
authenticated, instead asked to provide the passcode. When user provide the
correct passcode, he will be asked to reset the password. Without resetting
the password he cannot continue to login to the system.

On Thu, Mar 16, 2017 at 9:31 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Why should we allow multiple OTPs for a particular user at a given time ?
> Cannot we keep only one valid OTP for a user at a given time and override
> it at the point of creating a new one ?


+1. Lets keep only one valid OTP.

How do you plan to access the content in this table from the authentication
> flow.
>
> What I wanted to point is, this OTP is another credential for the user. So
> we should store in a "credential store" which is introduced with new user
> core.
>

It's clear this can be use only one time but  what is the scope of this OTP
> ? is this can only be used to login to user-portal or can this OTP use in
> any other purposes ( an example, say login to generate SAML token in a SSO
> story)
>

Actually in this implementation we have not considered this as a password.
Though we used the word OTP it is kind of a code. By using this code the
user can create a new password but can not login to any portal or can not
perform any task of IS. So this is not actually a credential for the user.
+1

In some cases identity admin need to set validity period on OTP so IMO we
> need to support time based validity.
>


> I too have the same concern. What is the idea behind allowing multiple
> OTPs at any point of time? Isn't the usual practice to keep only the latest
> OTP active?
>

+1. Lets add a time based validity period.
Already time based code expiration is there for recovery table entries.

On Thu, Mar 16, 2017 at 10:17 AM, Gayan Gunawardana  wrote:

> Due to some network issue or mail server issue if user doesn't receive
> second OTP in that case user experience is not so good. I do not see a
> problem of having multiple valid OTPs at a given time. What need to be done
> is all should be invalidated if user consume at least one.

In this case user should be given the option to re-recieve a new code. (ex:
Maybe a message to contact an admin to do so, or direct to self served
portal.)

Thanks!
-Ayesha


-- 
*Ayesha Dissanayaka*
Senior Software Engineer,
WSO2, Inc : http://wso2.com

20, Palm grove Avenue, Colombo 3
E-Mail: aye...@wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-15 Thread Gayan Gunawardana 
On Thu, Mar 16, 2017 at 9:31 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi All,
>
> Why should we allow multiple OTPs for a particular user at a given time ?
>> Cannot we keep only one valid OTP for a user at a given time and override
>> it at the point of creating a new one ?
>
>
> +1. Lets keep only one valid OTP.
>
Due to some network issue or mail server issue if user doesn't receive
second OTP in that case user experience is not so good. I do not see a
problem of having multiple valid OTPs at a given time. What need to be done
is all should be invalidated if user consume at least one.
@Johann
WDYT?

>
> How do you plan to access the content in this table from the
>> authentication flow.
>>
>> What I wanted to point is, this OTP is another credential for the user.
>> So we should store in a "credential store" which is introduced with new
>> user core.
>>
>
> It's clear this can be use only one time but  what is the scope of this
>> OTP ? is this can only be used to login to user-portal or can this OTP use
>> in any other purposes ( an example, say login to generate SAML token in a
>> SSO story)
>>
>
> Actually in this implementation we have not considered this as a password.
> Though we used the word OTP it is kind of a code. By using this code the
> user can create a new password but can not login to any portal or can not
> perform any task of IS. So this is not actually a credential for the user.
>
> In some cases identity admin need to set validity period on OTP so IMO we
>> need to support time based validity.
>>
>
>
>> I too have the same concern. What is the idea behind allowing multiple
>> OTPs at any point of time? Isn't the usual practice to keep only the latest
>> OTP active?
>>
>
> +1. Lets add a time based validity period.
>
> Thanks,
>
>
>
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>
> On Wed, Mar 15, 2017 at 10:55 PM, Farasath Ahamed 
> wrote:
>
>>
>>
>> On Wednesday, March 15, 2017, Dilan Udara Ariyaratne 
>> wrote:
>>
>>>
>>> On Tue, Mar 14, 2017 at 11:08 AM, Gayan Gunawardana 
>>> wrote:
>>>


 On Tue, Mar 14, 2017 at 10:58 AM, Hasanthi Purnima Dissanayake <
 hasan...@wso2.com> wrote:

> Hi all,
>
> We are in the process of implementing Admin Forced Password Reset via
> Offline for existing users in Admin Portal for the new IS 6.0.0 release.
> The wireframe design for the UI is found at [1].
>
> Admin can select a user and generate a password for the selected user.
> This generated password is an OTP.
>
> This OTP is:
> 1. Not adhere to any password policy.
> 2. There is no validity period
> 3. Once this OTP is used it expires.
> 4. Not considered like a normal password and we are going to store it
> in IDN_RECOVERY_DATA table.
>
 If admin generates two or more OTPs, what is the behavior ?
 All valid or last one valid ?
 Suppose there is two and we consume only first one, in that case does
 it invalidate second one ?

>>>
>>> Why should we allow multiple OTPs for a particular user at a given time
>>> ? Cannot we keep only one valid OTP for a user at a given time and override
>>> it at the point of creating a new one ?
>>>
>>
>> I too have the same concern. What is the idea behind allowing multiple
>> OTPs at any point of time? Isn't the usual practice to keep only the latest
>> OTP active?
>>
>>
>>
>>>
> [1] https://github.com/wso2-dev-ux/product-is/blob/master/Wirefr
> ames/admin-portal/v3/3.32%20%20Reset%20password%20with%20off
> line%20OTP%20-%20password%20generated.png
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>



 --
 Gayan Gunawardana
 Software Engineer; WSO2 Inc.; http://wso2.com/
 Email: ga...@wso2.com
 Mobile: +94 (71) 8020933

 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


>>>
>>
>> --
>> *A.Farasath Ahamed*
>> Software Engineer | WSO2 Inc.
>> Mobile: +94 777 603 866 <+94%2077%20760%203866>
>> Blog: blog.farazath.com
>> E-Mail: mefaraz...@gmail.com
>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Architecture mailing list

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-15 Thread Hasanthi Purnima Dissanayake 
Hi All,

Why should we allow multiple OTPs for a particular user at a given time ?
> Cannot we keep only one valid OTP for a user at a given time and override
> it at the point of creating a new one ?


+1. Lets keep only one valid OTP.

How do you plan to access the content in this table from the authentication
> flow.
>
> What I wanted to point is, this OTP is another credential for the user. So
> we should store in a "credential store" which is introduced with new user
> core.
>

It's clear this can be use only one time but  what is the scope of this OTP
> ? is this can only be used to login to user-portal or can this OTP use in
> any other purposes ( an example, say login to generate SAML token in a SSO
> story)
>

Actually in this implementation we have not considered this as a password.
Though we used the word OTP it is kind of a code. By using this code the
user can create a new password but can not login to any portal or can not
perform any task of IS. So this is not actually a credential for the user.

In some cases identity admin need to set validity period on OTP so IMO we
> need to support time based validity.
>


> I too have the same concern. What is the idea behind allowing multiple
> OTPs at any point of time? Isn't the usual practice to keep only the latest
> OTP active?
>

+1. Lets add a time based validity period.

Thanks,




Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Wed, Mar 15, 2017 at 10:55 PM, Farasath Ahamed 
wrote:

>
>
> On Wednesday, March 15, 2017, Dilan Udara Ariyaratne 
> wrote:
>
>>
>> On Tue, Mar 14, 2017 at 11:08 AM, Gayan Gunawardana 
>> wrote:
>>
>>>
>>>
>>> On Tue, Mar 14, 2017 at 10:58 AM, Hasanthi Purnima Dissanayake <
>>> hasan...@wso2.com> wrote:
>>>
 Hi all,

 We are in the process of implementing Admin Forced Password Reset via
 Offline for existing users in Admin Portal for the new IS 6.0.0 release.
 The wireframe design for the UI is found at [1].

 Admin can select a user and generate a password for the selected user.
 This generated password is an OTP.

 This OTP is:
 1. Not adhere to any password policy.
 2. There is no validity period
 3. Once this OTP is used it expires.
 4. Not considered like a normal password and we are going to store it
 in IDN_RECOVERY_DATA table.

>>> If admin generates two or more OTPs, what is the behavior ?
>>> All valid or last one valid ?
>>> Suppose there is two and we consume only first one, in that case does it
>>> invalidate second one ?
>>>
>>
>> Why should we allow multiple OTPs for a particular user at a given time ?
>> Cannot we keep only one valid OTP for a user at a given time and override
>> it at the point of creating a new one ?
>>
>
> I too have the same concern. What is the idea behind allowing multiple
> OTPs at any point of time? Isn't the usual practice to keep only the latest
> OTP active?
>
>
>
>>
 [1] https://github.com/wso2-dev-ux/product-is/blob/master/Wirefr
 ames/admin-portal/v3/3.32%20%20Reset%20password%20with%20off
 line%20OTP%20-%20password%20generated.png

 Thanks,

 Hasanthi Dissanayake

 Software Engineer | WSO2

 E: hasan...@wso2.com
 M :0718407133| http://wso2.com 

>>>
>>>
>>>
>>> --
>>> Gayan Gunawardana
>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: ga...@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>
> --
> *A.Farasath Ahamed*
> Software Engineer | WSO2 Inc.
> Mobile: +94 777 603 866 <+94%2077%20760%203866>
> Blog: blog.farazath.com
> E-Mail: mefaraz...@gmail.com
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-15 Thread Farasath Ahamed 
On Wednesday, March 15, 2017, Dilan Udara Ariyaratne 
wrote:

>
> On Tue, Mar 14, 2017 at 11:08 AM, Gayan Gunawardana  > wrote:
>
>>
>>
>> On Tue, Mar 14, 2017 at 10:58 AM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com >
>> wrote:
>>
>>> Hi all,
>>>
>>> We are in the process of implementing Admin Forced Password Reset via
>>> Offline for existing users in Admin Portal for the new IS 6.0.0 release.
>>> The wireframe design for the UI is found at [1].
>>>
>>> Admin can select a user and generate a password for the selected user.
>>> This generated password is an OTP.
>>>
>>> This OTP is:
>>> 1. Not adhere to any password policy.
>>> 2. There is no validity period
>>> 3. Once this OTP is used it expires.
>>> 4. Not considered like a normal password and we are going to store it in
>>> IDN_RECOVERY_DATA table.
>>>
>> If admin generates two or more OTPs, what is the behavior ?
>> All valid or last one valid ?
>> Suppose there is two and we consume only first one, in that case does it
>> invalidate second one ?
>>
>
> Why should we allow multiple OTPs for a particular user at a given time ?
> Cannot we keep only one valid OTP for a user at a given time and override
> it at the point of creating a new one ?
>

I too have the same concern. What is the idea behind allowing multiple OTPs
at any point of time? Isn't the usual practice to keep only the latest OTP
active?



>
>>> [1] https://github.com/wso2-dev-ux/product-is/blob/master/Wirefr
>>> ames/admin-portal/v3/3.32%20%20Reset%20password%20with%20off
>>> line%20OTP%20-%20password%20generated.png
>>>
>>> Thanks,
>>>
>>> Hasanthi Dissanayake
>>>
>>> Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com 
>>> M :0718407133| http://wso2.com 
>>>
>>
>>
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com 
>> Mobile: +94 (71) 8020933
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> 
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>

-- 
*A.Farasath Ahamed*
Software Engineer | WSO2 Inc.
Mobile: +94 777 603 866
Blog: blog.farazath.com
E-Mail: mefaraz...@gmail.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-15 Thread Sagara Gunathunga 
On Wed, Mar 15, 2017 at 8:37 PM, Darshana Gunawardana 
wrote:

>
> On Tue, Mar 14, 2017 at 10:58 AM Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi all,
>>
>> We are in the process of implementing Admin Forced Password Reset via
>> Offline for existing users in Admin Portal for the new IS 6.0.0 release.
>> The wireframe design for the UI is found at [1].
>>
>> Admin can select a user and generate a password for the selected user.
>> This generated password is an OTP.
>>
>> This OTP is:
>>
>
It's clear this can be use only one time but  what is the scope of this OTP
? is this can only be used to login to user-portal or can this OTP use in
any other purposes ( an example, say login to generate SAML token in a SSO
story)



> 1. Not adhere to any password policy.
>>
>
Thinking in customer POV can we assume above constrain ?


> 2. There is no validity period
>>
>
In some cases identity admin need to set validity period on OTP so IMO we
need to support time based validity.


> 3. Once this OTP is used it expires.
>> 4. Not considered like a normal password and we are going to store it in
>> IDN_RECOVERY_DATA table.
>>
>
> How do you plan to access the content in this table from the
> authentication flow.
>
> What I wanted to point is, this OTP is another credential for the user. So
> we should store in a "credential store" which is introduced with new user
> core.
>

+1 given the fact that we have specially designed credential store we
should use it store any user related credentials.


Thanks !


>
>
>>
>> [1] https://github.com/wso2-dev-ux/product-is/blob/master/
>> Wireframes/admin-portal/v3/3.32%20%20Reset%20password%
>> 20with%20offline%20OTP%20-%20password%20generated.png
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com 
>>
> --
> Regards,
>
>
> *Darshana Gunawardana*Associate Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com *
> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
> Middleware
>



-- 
Sagara Gunathunga

Associate Director / Architect; WSO2, Inc.;  http://wso2.com
V.P Apache Web Services;http://ws.apache.org/
Linkedin; http://www.linkedin.com/in/ssagara
Blog ;  http://ssagara.blogspot.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-15 Thread Darshana Gunawardana 
On Tue, Mar 14, 2017 at 10:58 AM Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi all,
>
> We are in the process of implementing Admin Forced Password Reset via
> Offline for existing users in Admin Portal for the new IS 6.0.0 release.
> The wireframe design for the UI is found at [1].
>
> Admin can select a user and generate a password for the selected user.
> This generated password is an OTP.
>
> This OTP is:
> 1. Not adhere to any password policy.
> 2. There is no validity period
> 3. Once this OTP is used it expires.
> 4. Not considered like a normal password and we are going to store it in
> IDN_RECOVERY_DATA table.
>

How do you plan to access the content in this table from the authentication
flow.

What I wanted to point is, this OTP is another credential for the user. So
we should store in a "credential store" which is introduced with new user
core.


>
> [1]
> https://github.com/wso2-dev-ux/product-is/blob/master/Wireframes/admin-portal/v3/3.32%20%20Reset%20password%20with%20offline%20OTP%20-%20password%20generated.png
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>
-- 
Regards,


*Darshana Gunawardana*Associate Technical Lead
WSO2 Inc.; http://wso2.com

*E-mail: darsh...@wso2.com *
*Mobile: +94718566859*Lean . Enterprise . Middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-15 Thread Dilan Udara Ariyaratne 
On Tue, Mar 14, 2017 at 11:08 AM, Gayan Gunawardana  wrote:

>
>
> On Tue, Mar 14, 2017 at 10:58 AM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi all,
>>
>> We are in the process of implementing Admin Forced Password Reset via
>> Offline for existing users in Admin Portal for the new IS 6.0.0 release.
>> The wireframe design for the UI is found at [1].
>>
>> Admin can select a user and generate a password for the selected user.
>> This generated password is an OTP.
>>
>> This OTP is:
>> 1. Not adhere to any password policy.
>> 2. There is no validity period
>> 3. Once this OTP is used it expires.
>> 4. Not considered like a normal password and we are going to store it in
>> IDN_RECOVERY_DATA table.
>>
> If admin generates two or more OTPs, what is the behavior ?
> All valid or last one valid ?
> Suppose there is two and we consume only first one, in that case does it
> invalidate second one ?
>

Why should we allow multiple OTPs for a particular user at a given time ?
Cannot we keep only one valid OTP for a user at a given time and override
it at the point of creating a new one ?

>
>> [1] https://github.com/wso2-dev-ux/product-is/blob/master/Wirefr
>> ames/admin-portal/v3/3.32%20%20Reset%20password%20with%
>> 20offline%20OTP%20-%20password%20generated.png
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com 
>>
>
>
>
> --
> Gayan Gunawardana
> Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-13 Thread Nuwandi Wickramasinghe 
On Tue, Mar 14, 2017 at 11:25 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Gayan
>
>> If admin generates two or more OTPs, what is the behavior ?
>> All valid or last one valid ?
>
>
> In such a situation all OTPs are considered as valid.
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>
> On Tue, Mar 14, 2017 at 11:08 AM, Gayan Gunawardana 
> wrote:
>
>>
>>
>> On Tue, Mar 14, 2017 at 10:58 AM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi all,
>>>
>>> We are in the process of implementing Admin Forced Password Reset via
>>> Offline for existing users in Admin Portal for the new IS 6.0.0 release.
>>> The wireframe design for the UI is found at [1].
>>>
>>> Admin can select a user and generate a password for the selected user.
>>> This generated password is an OTP.
>>>
>>> This OTP is:
>>> 1. Not adhere to any password policy.
>>> 2. There is no validity period
>>> 3. Once this OTP is used it expires.
>>> 4. Not considered like a normal password and we are going to store it in
>>> IDN_RECOVERY_DATA table.
>>>
>> If admin generates two or more OTPs, what is the behavior ?
>> All valid or last one valid ?
>> Suppose there is two and we consume only first one, in that case does it
>> invalidate second one ?
>>
> We need to invalidate all the past OTPs once the user consumes one of the
OTPs.

>
>>> [1] https://github.com/wso2-dev-ux/product-is/blob/master/Wirefr
>>> ames/admin-portal/v3/3.32%20%20Reset%20password%20with%20off
>>> line%20OTP%20-%20password%20generated.png
>>>
>>> Thanks,
>>>
>>> Hasanthi Dissanayake
>>>
>>> Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133| http://wso2.com 
>>>
>>
>>
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>


-- 

Best Regards,

Nuwandi Wickramasinghe

Software Engineer

WSO2 Inc.

Web : http://wso2.com

Mobile : 0719214873
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-13 Thread Hasanthi Purnima Dissanayake 
Hi Gayan

> If admin generates two or more OTPs, what is the behavior ?
> All valid or last one valid ?


In such a situation all OTPs are considered as valid.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Tue, Mar 14, 2017 at 11:08 AM, Gayan Gunawardana  wrote:

>
>
> On Tue, Mar 14, 2017 at 10:58 AM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi all,
>>
>> We are in the process of implementing Admin Forced Password Reset via
>> Offline for existing users in Admin Portal for the new IS 6.0.0 release.
>> The wireframe design for the UI is found at [1].
>>
>> Admin can select a user and generate a password for the selected user.
>> This generated password is an OTP.
>>
>> This OTP is:
>> 1. Not adhere to any password policy.
>> 2. There is no validity period
>> 3. Once this OTP is used it expires.
>> 4. Not considered like a normal password and we are going to store it in
>> IDN_RECOVERY_DATA table.
>>
> If admin generates two or more OTPs, what is the behavior ?
> All valid or last one valid ?
> Suppose there is two and we consume only first one, in that case does it
> invalidate second one ?
>
>>
>> [1] https://github.com/wso2-dev-ux/product-is/blob/master/Wirefr
>> ames/admin-portal/v3/3.32%20%20Reset%20password%20with%
>> 20offline%20OTP%20-%20password%20generated.png
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com 
>>
>
>
>
> --
> Gayan Gunawardana
> Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [C5][IS 6.0.0]Admin Forced Password Reset Via Offline for Existing Users

2017-03-13 Thread Gayan Gunawardana 
On Tue, Mar 14, 2017 at 10:58 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi all,
>
> We are in the process of implementing Admin Forced Password Reset via
> Offline for existing users in Admin Portal for the new IS 6.0.0 release.
> The wireframe design for the UI is found at [1].
>
> Admin can select a user and generate a password for the selected user.
> This generated password is an OTP.
>
> This OTP is:
> 1. Not adhere to any password policy.
> 2. There is no validity period
> 3. Once this OTP is used it expires.
> 4. Not considered like a normal password and we are going to store it in
> IDN_RECOVERY_DATA table.
>
If admin generates two or more OTPs, what is the behavior ?
All valid or last one valid ?
Suppose there is two and we consume only first one, in that case does it
invalidate second one ?

>
> [1] https://github.com/wso2-dev-ux/product-is/blob/master/
> Wireframes/admin-portal/v3/3.32%20%20Reset%20password%
> 20with%20offline%20OTP%20-%20password%20generated.png
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>



-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture