Users App (UXPROD-784)

[UXPROD-39] Local password management Created: 18/Jan/18  Updated: 16/Sep/20  Resolved: 15/Jan/19

Status: Closed
Project: UX Product
Components: None
Affects versions: None
Fix versions: Q4 2018
Parent: Users App

Type: New Feature Priority: P2
Reporter: Cate Boerema (Inactive) Assignee: Khalilah Gambrell
Resolution: Done Votes: 0
Labels: usermanagement
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to UIP-1 Figure out UX for settings vs. prefer... Closed
relates to UIU-344 Can't Create a New User Unless You Sp... Closed
relates to MODLOGIN-30 Update Status Field to also control a... Closed
relates to MODLOGIN-33 Prevent Local Password Re-Use (at lea... Closed
relates to MODLOGIN-35 Select a bad password list(s) Closed
relates to MODLOGIN-36 Security: Logging to support local pa... Closed
relates to MODLOGIN-41 Backend - Security: Handling: Failed ... Closed
relates to MODLOGIN-42 Security: Counting Failed login attem... Closed
relates to MODLOGSAML-32 Update Status Field to also control a... Closed
relates to MODPWD-51 Implement a bad password list(s) Closed
relates to MODTEMPENG-5 Reset a Password Email Template Closed
relates to MODTEMPENG-8 Create a password email template Closed
relates to STCOR-275 Folio Login: Forgot password page Closed
relates to STCOR-276 Folio Login: Forgot username page Closed
relates to UIMPROF-2 Create My profile landing page Closed
relates to UIMPROF-3 Create Change Password page Closed
relates to UIMPROF-13 Change Password: Prevent Local Passwo... Closed
relates to UIU-513 Update Status Field to also control a... Closed
relates to UIU-514 All passwords stored must be encrypte... Closed
relates to UIU-515 All passwords must be encrypted on tr... Closed
relates to UIU-519 Technical Design: Generate a Create/R... Closed
relates to UIU-522 Edit User Detail Record: Display a Re... Closed
relates to UIU-589 Edit User Detail Record: Display Send... Closed
relates to UIU-590 Frontend: Security: Handling Failed l... Closed
relates to UIU-591 Frontend: Indicate on User Detail rec... Closed
relates to UIU-595 Create/Reset Confirmation Modal : Cop... Closed
relates to UIU-596 Folio Login Page: Display a Forgot us... Closed
relates to UIU-751 Edit User Detail Record: Display a Re... Closed
relates to UIU-1506 Edit User Detail Record - Does not se... Closed
relates to UIU-1120 Validate password when creating a user Closed
relates to UIU-508 Data Feed: Add a flag to indicate if ... Draft
relates to UIU-521 Forgot Username email Draft
relates to UIU-564 Security: Logging Change Password Upd... Draft
relates to FOLIO-1233 Implement refresh tokens Closed
relates to FOLIO-1359 Ensure that password and PII are secu... Closed
relates to FOLIO-1371 API Design: A Folio module to send an... Closed
relates to MODLOGIN-38 Technical Design: Local Password Rule... Closed
relates to MODLOGIN-86 Create/Extend password storage to sup... Closed
relates to MODNOTIFY-33 Extend mod-notify to support sending ... Closed
relates to MODTEMPENG-1 Generate a Change Password email Closed
relates to MODUSERBL-40 Create/Reset Password link validation Closed
relates to MODUSERBL-41 Create/Reset password submission Closed
relates to STCOR-273 Local Password Management: Create/Res... Closed
relates to STRIPES-541 Create ui-myprofile module Closed
relates to UIMPROF-4 Access Change my password from Folio ... Closed
relates to UIMPROF-5 If change password is successful then... Closed
relates to UIMPROF-20 Implement a Password Strength Meter Closed
relates to UIU-516 Spike: Select a Password Strength Meter Closed
relates to UIU-748 Successfully changed password confirm... Closed
Epic Link: Users App
Analysis Estimate: Medium < 5 days
Analysis Estimator: Khalilah Gambrell
Front End Estimate: XL < 15 days
Front End Estimator: Jakub Skoczen
Back End Estimate: Large < 10 days
Back End Estimator: Jakub Skoczen
Estimation Notes and Assumptions: KG: 5/30/2018 Updated what feature covers. Probably need to re-estimate Frontend and Backend.
Development Team: Vega
Rank: BNCF (MVP Feb 2020): R1
Rank: Chalmers (Impl Aut 2019): R1
Rank: Chicago (MVP Sum 2020): R5
Rank: Cornell (Full Sum 2021): R4
Rank: 5Colleges (Full Jul 2021): R2
Rank: GBV (MVP Sum 2020): R1
Rank: Lehigh (MVP Summer 2020): R1
Rank: MO State (MVP June 2020): R1
Rank: TAMU (MVP Jan 2021): R4
Rank: U of AL (MVP Oct 2020): R1

 Description   

Feature requirement: Define and implement Folio local username/password management policies and workflows.

Assumption

Assumption from UM SIG has been that only FOLIO operators need passwords.

Feature covers the following

  • Valid Password requirements
  • Validate password against bad password list(s) / dictionary(ies)
  • Log/Audit password (failed)
  • Support locking out a user who failed to login after successive attempts
  • Password strength meter
  • Workflow: Create Password
  • Workflow: Reset Password
  • Workflow: Change Password
  • Workflow: Locate my username
  • Ensure a user with SSO enable cannot have a local username/password

Mockups

Kimie mockups: https://drive.google.com/drive/folders/0By8ccf5VV4EWNnppQkRGSHZuSjg



 Comments   
Comment by Kurt Nordstrom [ 25/May/18 ]

mod-login in its current form does two things:

  • It serves as a CRUD endpoint to manage credentials for user ids
  • It serves as an endpoint to request and return a JWT given a submitted username/password, which is checked against stored credentials.

Things like password reset could be managed by any service that has the appropriate permissions to write to the credentials store. Things like contact email and the like could be referenced from the user module. What we don't currently implement is any kind of "security question" information associated with credentials.

We're also not currently implementing anything to track password re-use. This would require an additional field to store past salt/hash pairs to check against new input.

As to whether SSO could completely replace username/password auth, I think theoretically yes. The main job of the login process is to return a usable token based on some kind of auth challenge. Whether that be password or SSO, it really should not matter.

Comment by Khalilah Gambrell [ 15/Jan/19 ]

Will create a feature to capture Small Q1 2019 updates.

Generated at Fri Feb 09 00:05:20 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.