Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

Local password management

Description

Feature requirement: Define and implement Folio local username/password management policies and workflows.

Assumption

Assumption from UM SIG has been that only FOLIO operators need passwords.

Feature covers the following

Valid Password requirements
Validate password against bad password list(s) / dictionary(ies)
Log/Audit password (failed)
Support locking out a user who failed to login after successive attempts
Password strength meter
Workflow: Create Password
Workflow: Reset Password
Workflow: Change Password
Workflow: Locate my username
Ensure a user with SSO enable cannot have a local username/password

Mockups

Kimie mockups: https://drive.google.com/drive/folders/0By8ccf5VV4EWNnppQkRGSHZuSjg

Priority

P2

Labels

Fix versions

Development Team

Vega

Assignee

Khalilah Gambrell

Solution Architect

None

Parent

UXPROD-784 Users App

Parent Field Value

None

Parent Status

None

Linked issues

relates to

Select a bad password list(s)

Technical Design: Local Password Rules Parameters/Configuration

Prevent Local Password Re-Use (at least the last 10 passwords)

Security: Logging to support local password management (Technical design)

Update Status Field to also control access to Folio with local username/password

Backend - Security: Handling: Failed login attempts - Lock Account

Security: Counting Failed login attempts

Create/Extend password storage to support retaining last 10 changed passwords a user has saved

Create/Reset Password link validation

Create/Reset password submission

Extend mod-notify to support sending password creation/reset/changed password emails

Data Feed: Add a flag to indicate if the user record can have a local password

Forgot Username email

Security: Logging Change Password Updates

Can't Create a New User Unless You Specify a Password

Update Status Field to also control access to Folio

All passwords stored must be encrypted (Change Password verification)

All passwords must be encrypted on transit

Frontend: Indicate on User Detail record that the User is inactive due to failed login attempts

Technical Design: Generate a Create/Reset Password link

Edit User Detail Record: Display a Reset Password Email link

Edit User Detail Record: Display Send a create password email link (Frontend + Backend)

Frontend: Security: Handling Failed login attempts via Folio Login Screen - Lock Account

Create/Reset Confirmation Modal : Copy link functionality

Folio Login Page: Display a Forgot username link

Edit User Detail Record: Display a Reset Password Email link (wire backend to frontend)

Validate password when creating a user

Edit User Detail Record - Does not send a create password email when no password is present

Spike: Select a Password Strength Meter

Successfully changed password confirmation page

Create ui-myprofile module

Local Password Management: Create/Reset a Password Screen

Folio Login: Forgot username page

Folio Login: Forgot password page

Update Status Field to also control access to Folio via SSO

Implement a bad password list(s)

Create a password email template

Reset a Password Email Template

Generate a Change Password email

Access Change my password from Folio Top Toolbar

Create Change Password page

If change password is successful then keep Folio session and do not force user to log out

Create My profile landing page

Implement a Password Strength Meter

Change Password: Prevent Local Password Re-Use (at least the last 10 passwords)

Figure out UX for settings vs. preferences

Implement refresh tokens

Ensure that password and PII are secured while in transit

API Design: A Folio module to send and format emails.

Checklist

hide

TestRail: Results

Activity

Show:

Khalilah GambrellJanuary 15, 2019 at 5:08 PM

Will create a feature to capture Small Q1 2019 updates.

Kurt NordstromMay 25, 2018 at 3:47 PM

mod-login in its current form does two things:

It serves as a CRUD endpoint to manage credentials for user ids
It serves as an endpoint to request and return a JWT given a submitted username/password, which is checked against stored credentials.

Things like password reset could be managed by any service that has the appropriate permissions to write to the credentials store. Things like contact email and the like could be referenced from the user module. What we don't currently implement is any kind of "security question" information associated with credentials.

We're also not currently implementing anything to track password re-use. This would require an additional field to store past salt/hash pairs to check against new input.

As to whether SSO could completely replace username/password auth, I think theoretically yes. The main job of the login process is to return a usable token based on some kind of auth challenge. Whether that be password or SSO, it really should not matter.

Done

Details
Reporter
Cate Boerema(Deactivated)
Estimation Notes and Assumptions
KG: 5/30/2018 Updated what feature covers. Probably need to re-estimate Frontend and Backend.
Analysis Estimate
Medium < 5 days
Analysis Estimator
Khalilah Gambrell
Front End Estimate
XL < 15 days
Front End Estimator
Jakub Skoczen
Back End Estimate
Large < 10 days
Back End Estimator
Jakub Skoczen
Rank: 5Colleges (Full Jul 2021)
R2
Rank: Cornell (Full Sum 2021)
R4
Rank: Chalmers (Impl Aut 2019)
R1
Rank: BNCF (MVP Feb 2020)
R1
Rank: GBV (MVP Sum 2020)
R1
Rank: TAMU (MVP Jan 2021)
R4
Rank: Chicago (MVP Sum 2020)
R5
Rank: MO State (MVP June 2020)
R1
Rank: U of AL (MVP Oct 2020)
R1
Rank: Lehigh (MVP Summer 2020)
R1
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created January 18, 2018 at 1:21 PM

Updated September 16, 2020 at 9:17 PM

Resolved January 15, 2019 at 5:08 PM

TestRail: Cases

TestRail: Runs