This article describes the Password Recovery Security Questions feature (local users without email). Here you will understand the purpose of the feature, how it works, the configuration and recovery flows, the expected impacts, the prerequisites for use, audit logs, and security considerations relevant to operation and support.
- General Overview
- Configuration
- Users’ guide and workflow
- Password recovery
- Logs and audit
- Impacts and benefits
- Important observations
- Conclusion
General Overview
This feature allows local users without email to set up and use a set of security questions for password recovery. The goal is to reduce the burden on managers by increasing user autonomy.
Configuration
The configuration covers the following main points:
- Configurable question mechanism: the user defines 3 questions + answers chosen from a fixed list of 10 options. These questions and answers are used for validation during password recovery.
- Mandatory flow on first access: after a password change, on the first access by a local user without email, the system requires the configuration of questions and answers.
- Persistent modal on login: local users who are already registered and without configuration will be presented with a persistent modal on the login screen until they complete the configuration. The modal offers the option “Fill in later,” allowing postponement, but maintaining the persistence of the reminder until the configuration is completed.
- Editing in My Profile: Local users without email and without SSO can edit their questions/answers in “My Profile.” Editing requires mandatory re-authentication before allowing changes.
- Global toggle: There is a control in General Settings labeled “Enable security questions” (default value = enabled). When this toggle is disabled, all flows, sections, and options related to security questions are hidden and inactive.
Requirements
- The user must be a local user without email (i.e., without a registered email address and without SSO authentication).
- The global option “Enable security questions” in General Settings must be enabled for the flows to be visible and operational.
Caption: Suggested illustration of the security questions configuration modal.
Users’ guide and workflow
The flow details user interactions from the first access to editing questions:
- First access after changing password: the system forces the configuration of the 3 questions. Purpose: to ensure that the user has a recovery method configured; result: the user can only proceed after completing or postponing with the option “Fill in later.”
- Persistent modal upon login: for users who are already registered without configuration, the modal appears on each login attempt until the configuration is performed. Purpose: to encourage configuration; result: increased adherence to the recovery mechanism.
- Editing in My Profile: available upon re-authentication. Purpose: to protect sensitive changes; result: changes are only applied after validation of the user's current identity.
Best Configuration Practices:
- Choose answers that users can easily memorize, avoiding variations in spelling.
- Recommend that the user avoid answers that contain only names or very common words that can be easily guessed.
Password Recovery
The recovery process for users without email works as follows:
- Access via Forgot Password: Users without email select the “Forgot Password” option.
- Randomized questions: the system randomly selects 2 of the 3 questions configured by the user for validation.
- Response comparison: verification is strict; it considers case, accents, spaces, and punctuation. Purpose: to increase security and reduce false positives; result: responses must match exactly those stored.
- Blocking rule: the current blocking rule for attempts remains unchanged. The blocking time is calculated according to the formula 5^(incorrectAttempts - 2) minutes, with a maximum limit of 125 minutes. Unblocking continues to be a manual action performed by a manager.
Caption: Suggested illustration of the screen where the questions selected during the recovery are displayed.
Important Observations
Important: Responses are compared strictly, taking into account case, accents, spaces, and punctuation. Instruct users to type responses exactly as they want them to be retrieved. In addition, even with the reduction in calls, unblocking due to blocked attempts continues to be performed manually by the manager according to the existing blocking rule.
Conclusion
The Security Questions feature allows local users without email to set up three questions (from a list of 10), be required to set them up on their first login after changing their password, edit them with re-authentication in “My Profile,” and recover their password via “Forgot Password” by answering two randomly selected questions. Answer verification is strict (including case, accents, spaces, and punctuation). There is a global toggle in General Settings (“Enable security questions”) which, when disabled, hides all related flows. Detailed logs record configuration, editing, attempts, and manager actions. The current lockout rule remains (time calculated as 5^(wrong attempts - 2) minutes, with a limit of 125 minutes) and unlocking continues to be done manually by the manager.