06-21-2011 5:29 AM
Hi,
I was hoping that someone in the community might have some advice. I would like to use the "Security Question" feature of the Java UME to allow users to maintain a security question (for password reset). However my security policy requires that the user maintain 6 security questions and answers (not only one).
I assume I could achieve this only by custom development using the UME APIs to create a custom password reset scenario (and perhaps create a few additional UME attributes to store Q&As. Before I go down that path I want to ask if anyone has any other ideas or a more standard way.
Thanks,
Simon
06-22-2011 1:04 AM
Hi,
I doubt there is a better way than developing your own custom application. Don't forget to protect answers using hash function. If you have a choice I would suggest to using something like bcrypt instead of SHA-1 for storing passwords.
Cheers
06-22-2011 1:04 AM
Hi,
I doubt there is a better way than developing your own custom application. Don't forget to protect answers using hash function. If you have a choice I would suggest to using something like bcrypt instead of SHA-1 for storing passwords.
Cheers
06-24-2011 11:08 AM
Hi Simon,
As a more standard way without much customisation, You can enable Self Registration. Basically this allows users to setup their own account along with 1 security question that can be used to reset their password
Have a look at the followings help document
http://help.sap.com/saphelp_nw70/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm
Other options to enable users to reset their own password are listed in this link
http://help.sap.com/saphelp_nw70/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm
Thanks,
Dave
Edited by: David Fitzgibbon on Jun 24, 2011 12:09 PM
06-25-2011 10:20 PM
If it is only for the reset of the password (i.e. not for the creation of the account) then there are several applications which offer these services.
GRC and IdM do, with multiple question possibilities. IdM also has the option of using geographic indicators and business data (e.g. the invoice number on line <variable> of the <variable> last account statement). This is much better than favourite colour or maiden name...
There are also many external tools which do the same using different flavours.
Cheers,
Julius