Versions Compared

Old Version 3

changes.mady.by.user Seth Petry-Johnson

Saved on

compared with

New Version Current

changes.mady.by.user Seth Petry-Johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Allows a user to log into LearningBuilder if they forget their password and no longer have access to the email address on file. Currently scheduled for Released in 11.0.18, subject to change.

Sys Admins can also view configuration instructions.

Info

This feature applies to “Person” accounts only; Organization type accounts cannot recover their accounts this way.

Table of Contents

Overview

LearningBuilder allows users who have forgotten their password to recover their account by confirming access to the email address on file. They can request an email containing a link that allows them to reset the password.

...

Note

Allowing users to bypass the password and email account verification process can potentially reduce site security. Account Recovery is disabled by default and should be implemented with care.

...

Details

The specific information needed to recover an account is configurable by a Sys Admin.

...

Data field

Notes

Primary email address

Social Security Number

See /wiki/spaces/DOCS/pages/262569985

Driver’s License Number

Any extrinsic Short Text, Numeric, Date, or Pick List attribute on a Member Role

Common use case is Birth Date, but can also be used to confirm identity using other (presumably private) information tracked on the Member Role.

User experience

When Account Recovery is enabled, the “Forgot Password” page will display an option to begin the recovery process.

...

The recovery page will prompt the user to input the required information, which again can vary between implementations.

...

Email and password change is required upon successful recovery

If the user input successfully identifies a single Member account then the user will be prompted to enter a new email address and password.

This is a required step of the recovery process, because use of the Account Recovery feature implies that the email address is no longer accessible, and we want the user to properly secure their recovered account.

After entering the new email address, an email is sent to that address containing an account recovery code, similar to the standard Reset Password flow.

...

After the new password is validated the primary email account is updated and the user is successfully logged in.

Account Recovery is disabled after 3 failed attempts

To prevent brute-force account recovery attacks, three subsequent failed Account Recovery attempts will disable Account Recovery for that account.

Members in this status will not be able to use the Account Recovery feature; they . They can continue to log in normally (assuming they know their password) and can use the Reset Password feature if they have access to their primary email, this status only prevents the use of the Recovery feature.

In all other cases, they will need to contact support to have their password reset by an administrator.

...