Background:
Password self-service only works if the user has supplied valid answers to their authentication questions _prior_ to forgetting their password. For this reason, the effectiveness of password self-service is dependent upon the approach used for "seeding" the answers.
One approach is to define questions which do not require the user to explicitly answer, but which can be auto-populated through a feed or automated update (i.e., questions like SSN, zipcode, etc.). The drawback with this approach is the strength of the questions. The set of available questions is limited (typically) to the "HR data" realm. These types of questions are not as secure as more personalized questions, ones which only the user (and not someone in HR) would really know.
So, if question strength is a requirement, the approach of using personalized questions further requires a way to ensure the user supplies valid answers prior to actually forgetting their password.
Requirement:
Upon their first login to Lighthouse, the end-user menu should detect the user has not supplied answers to their authentication questions and prompt them to do so. No other links will be available until the user has supplied the minimum number of answers to their questions.
Solution:
The solution requires the definition of a Lighthouse Rule which can be invoked from the end-user menu. The rule must iterate over the user's questions and return an indication (boolean) of whether the user has answered the required number of questions. The end-user menu can use this boolean to enable/disable links on the form, effectively making the user answer their questions before they can do anything else.
Earlier solutions to this requirement exist for the pre 3.1SP5 Lighthouse release; however, the view schema has changed since then and now incorporates a loginInterface component (i.e., allowing differents sets of questions for user, administrator, ivr). This requires additional handling to ensure the correct set of questions are being checked.
Below is a rule used to implement this functionality. A constant (maintained in the rule) defines the minimum number of questions that must be answered. This could also be an argument to the rule. Ultimatley, its value will depend on the particular Lighthouse Account policy being used by the customer.
<Rule name='areQuestionsAnswered'>
<RuleArgument name='questions'/>
<RuleArgument name='loginInterface'/>
<expression>
<block trace='true'>
<defvar name='numRequired'>
<i>3</i>
</defvar>
<defvar name='count'>
<i>0</i>
</defvar>
<dolist name='listItem'>
<ref>questions</ref>
<cond>
<and>
<notnull>
<get>
<ref>listItem</ref>
<s>answer</s>
</get>
</notnull>
<match>
<get>
<ref>listItem</ref>
<s>loginInterface</s>
</get>
<ref>loginInterface</ref>
</match>
</and>
<set name='count'>
<add>
<ref>count</ref>
<i>1</i>
</add>
</set>
<null/>
</cond>
</dolist>
<gte>
<ref>count</ref>
<ref>numRequired</ref>
</gte>
</block>
</expression>
</Rule>
With the above rule defined, the end-user menu can be customized to display the appropriate links based on whether the user has answered their questions or not. The following section of the End User Form illustrates the usage:
<Form name="End User Menu">
<defvar name="questionsAnswered">
<call name="areQuestionsAnswered">
<map>
<s>questions</s>
<ref>waveset.questions</ref>
<s>loginInterface</s>
<s>UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE</s>
</map>
</call>
</defvar>
<Display class="LinkForm">
<Property name="subTitle">
<expression>
<cond>
<ref>questionsAnswered</ref>
<s>Please select one of the options below:</s>
<s><font color='#ff0000'>You have not supplied answers to your authentication questions.<br/>The answers you supply will be used to verify your identity when you forget your password.<br/></font></s>
</cond>
</expression>
</Property>
</Display>
<Field>
<Display class="Link">
<Property name="name" value="UI_CHANGE_PASSWORD"/>
<Property name="URL" value="user/changePassword.jsp"/>
</Display>
<Disable>
<isFalse>
<ref>questionsAnswered</ref>
</isFalse>
</Disable>
</Field>
For screenshots of this in action, along with the complete Rule and UserForm xml objects, please see the attached ForceQuestionsAnsweredExample.zip file.
No comments:
Post a Comment