Identity as a Service (IDaaS) allows administrators to manage the following password policies in a centralized manner:
Password complexity
Initial password
Regular password change
Historical passwords
Forgot password
High-risk password detection
Password complexity
Passwords are one of the weakest links in network security. A stronger password means higher security.
On the Password Policy tab on the Sign-In page, IDaaS provides five complexity templates that can be applied to a variety of scenarios. The following table describes the five complexity templates.
Complexity template | Password requirement |
Unrestricted | A minimum of four characters. |
Simple | A minimum of six characters, and must contain lowercase letters and digits. |
Common | A minimum of eight characters, and must contain uppercase letters, lowercase letters, and digits. |
Recommended | A minimum of 10 characters, and must contain uppercase letters, lowercase letters, digits, and special characters. It cannot contain an account name. |
Complex | A minimum of 16 characters, and must contain uppercase letters, lowercase letters, digits, and special characters. It cannot contain the user's account name, display name, mobile number, or email prefix. |
If you are an administrator, you can select one of the templates and change the configurations as needed, or directly customize the complexity configurations. After you complete the configurations, click Save for the configurations to take effect.
The changed complexity rules do not affect existing passwords, but apply to new passwords.
Initial password
When an account is imported from an identity provider (IdP), its password in the IdP generally cannot be obtained. IDaaS can initialize the passwords for newly imported accounts and notify users to complete the new user logon operations.
The password initialization feature is disabled by default and can be enabled by administrators.
If you are an administrator, when you synchronize an account from an IdP to IDaaS and no password is available, you can specify the Initialization Method parameter as Randomly Generated and Sent to User. IDaaS randomly generates a new password that meets the complexity requirements and sends it to users by SMS message or email as configured.
You can also select Password Change upon First Logon. This feature instructs users to change their passwords when logging on with the randomly generated passwords before they can access the system.
Regular password change
Administrators can set a password validity period and a handling policy upon password expiration.
Expiration reminder
If you are an administrator, you can enable Expiration Reminder and set the Expiration Reminder Method parameter to Reminder upon Logon. IDaaS reminds users to change their passwords each time they log on to IDaaS N days before their passwords expire. When users are reminded upon logon, they can change the password immediately or ignore the reminder at that time.
The action to take upon password expiration
IDaaS provides the following three policies to restrict user logon upon password expiration:
Forbid Logon: It is a strict policy. If a password expires, the password cannot be used and the password change process cannot be triggered. The user can only use other methods to log on and then change the password or initiate a password reset process. If no other logon methods are enabled, the user is unable to log on and can only ask the administrator to reset the password. To avoid these cases, we recommend that you also enable Expiration Reminder or set the Forcibly Request Password Change in Advance parameter if you select this policy.
Forcibly Request Password Change: It is a balanced policy. If a password expires, the user can still use the password to log on to IDaaS but must change the password to access the portal or an application.
Remind User to Change Password: It is a loose policy. If a password expires, the user is reminded to change the password each time the user logs on to IDaaS, but the user can always ignore the reminder.
Password expiration only affects user logon and does not affect the status of an account.
Historical passwords
IDaaS allows administrators to enable Historical Password Detection. If this feature is enabled, when a user changes the password, IDaaS forbids the user to use a new password that is the same as one of the previous N passwords.
Forgot password
Users may forget their passwords when they log on to IDaaS. IDaaS allows users to set a new password on their own.
By default, this feature is disabled. If you are an administrator, you can select the Show Forgot Password check box on the Forgot Password subtab on the Password Policy tab. After this feature is enabled, the Forgot Password link is displayed on the logon page for password-based logon.
Users can click this link to complete identity verification by SMS message or email.
If no mobile number or email address is specified for users, the password cannot be reset. In this case, users must contact the administrator.
After a mobile number or email address is configured, users can set a new password that meets the complexity requirements.
High-risk password detection
IDaaS maintains a database that contains a great number of compromised passwords. When users change the password, a security check is triggered on the new password, and the check result is displayed on the same page. This feature is enabled by default and cannot be disabled. It is not displayed on the console. The following figure shows a sample prompt of password detection.
If users are prompted that the new password entered has been found in a security leak, it means that this password may be exploited maliciously by hackers. We strongly recommend that you do not use this password.