Password and PIN expire
158 views
Skip to first unread message
Jason Luttgens
Apr 5, 2013, 1:24:57 PM4/5/13
to rcdevs-t...@googlegroups.com
Hello,
Is there a way to configure the LDAP password or the new PIN feature to expire and require user reset?
Also, enabling the users to change their PIN or password on the self-help website allows the user to also change their authentication methods - this is undesirable since they could choose a method that compromises security.
Thanks,
Jason
Jason Luttgens
Apr 5, 2013, 1:26:09 PM4/5/13
to rcdevs-t...@googlegroups.com
Sorry, I should have elaborated on "expire". I mean on expire on a designated interval - 30 days, 60 days, etc.
Administrators
Apr 5, 2013, 1:40:42 PM4/5/13
to RCDevs Security Solutions - Technical
LDAP expiration is a feature of the LDAP server - not OpenOTP.
PIN (OTP Prefix) expiration was not considered because the PIN is here
only to prevent the usage of an OTP Token by an unauthorized person.
PIN is never used standalone but only together with the OTP. It is
also an additional protection.
You can use LDAP + PIN + OTP with LDAP expiration if your AD/LDAP
allows it.
There is an update of OpenOTP to be release next week which corrects
the problem you address with PIN change in self-service...
PIN (OTP Prefix) expiration was not considered because the PIN is here
only to prevent the usage of an OTP Token by an unauthorized person.
PIN is never used standalone but only together with the OTP. It is
also an additional protection.
You can use LDAP + PIN + OTP with LDAP expiration if your AD/LDAP
allows it.
There is an update of OpenOTP to be release next week which corrects
the problem you address with PIN change in self-service...
Jason Luttgens
Apr 5, 2013, 1:48:52 PM4/5/13
to rcdevs-t...@googlegroups.com
Ok, so using the RcDevs directory server, the password expiration policy can be set somewhere? I was mainly asking because I can set password length and complexity in OpenOTP...so it seemed like expiration was missing.
On the PIN issue, I understand its an extra layer, but also seems like that layer is degraded if a user is never forced to change it. I was thinking of a solution like RSA ACE PIN+Token, where it is common practice to set the PIN to expire every so many days.
Administrators
Apr 8, 2013, 3:58:53 AM4/8/13
to RCDevs Security Solutions - Technical
For LDAP password expiration, there is an option in OpenOTP Password
Policy (Password Max Age).
Yet, it is not recommended to use it because the ppolicy os for
everyone in OpenOTP and also applies to application accounts (ex.
WebADM Proxy Account.
If you activate this, please configure WebADM proxy user to use
default OpenLDAP admin account (cn=admin,or=root) which does not
expire by default. All the other users will have password expiration.
Problem is : OpenOTP does not detect expired passwords. So user cannot
login without knowing password expired.
We will work on this...
The PIN expiration option was discussed here and rejected because:
- LDAP (ex. AD) & PIN expirations is too complex for the users.
- PIN is an extra layer to OTP which was secure enough already. PIN
just prevent stolen tokens to be used.
- The whole password being PIN+OTP none of the known attacks may break
security.
Policy (Password Max Age).
Yet, it is not recommended to use it because the ppolicy os for
everyone in OpenOTP and also applies to application accounts (ex.
WebADM Proxy Account.
If you activate this, please configure WebADM proxy user to use
default OpenLDAP admin account (cn=admin,or=root) which does not
expire by default. All the other users will have password expiration.
Problem is : OpenOTP does not detect expired passwords. So user cannot
login without knowing password expired.
We will work on this...
The PIN expiration option was discussed here and rejected because:
- LDAP (ex. AD) & PIN expirations is too complex for the users.
- PIN is an extra layer to OTP which was secure enough already. PIN
just prevent stolen tokens to be used.
- The whole password being PIN+OTP none of the known attacks may break
security.
Gonzalo Fernández
Oct 2, 2017, 3:23:58 AM10/2/17
to RCDevs Security Solutions - Technical
Hello!
I´m currently working with OpenOTP and I would like to know if there is any update about the part of "working with expiration passwords" in LDAP.
Thanks!
Reply all
Reply to author
Forward
0 new messages