ID vault password reset security

A benefit of the vault is the ability to easily reset passwords on IDs when users forget them. There are two models available for resetting passwords: authorized personnel can use the Domino® Administrator to reset passwords for users, or users or authorized personnel can reset passwords using a custom application. You can implement one or both models.

There are two security considerations for either model: trust of the person or application that resets passwords and trust of the identity of the users whose passwords are being reset. Trust of a person's or application's authority to reset passwords is established through special-purpose cross-certificates called Password Reset Certificates. You use the ID Vaults > Create or ID Vaults > Manage tool to issue Password Reset Certificates from parent certifiers of the user IDs stored in a vault. The certificates are created in the Configuration > Security > ID Vaults view of the Domino® Directory. Trust of the identity of a user whose password is reset must be established by the person or application resetting the password.

Password reset authority for people who reset passwords using the Domino® Administrator

People who log in to the Domino® Administrator under an identity with password reset authority can reset user passwords using the Reset Password tool. To give password reset authority to these people, a Domino® administrator creates Password Reset Certificates for individuals or organizational units. You cannot create a Password Reset Certificate for a directory group, but you can select a group as a way to easily create an individual Password Reset Certificate for each current member.

People who reset passwords through Domino® Administrator have two options for conveying the new passwords to users. They can pick the new password or generate a random one and then inform the user of it themselves. It's important that they have a method to confirm the user's identity. Alternatively, they can generate a random new password and send it by encrypted email to someone, for example a user's manager.

You should give password reset authority to IDs registered and used specifically for resetting passwords.

Password reset authority for applications

Developers can use the ResetUserPassword method available in C, Java, JavaScript or LotusScript® to develop a custom application for resetting passwords. This can be a self-service application that allows users to reset their own passwords or an application that help desk personnel use to reset user passwords.

If the ResetUserPassword method is used in a LotusScript® agent or Java agent, you must give password reset authority with the Self-service password reset authority flag to a user identity that has signed the agent, preferably one that is registered specifically for this purpose. The server on which you deploy the agent must also have this authority and must give the agent signer Run restricted LotusScript/Java agents access.

If the ResetUserPassword method is used in a non-agent application, you give password reset authority with the Self-service password reset authority flag to the user or server identity under which the application is authorized to run.

The application is responsible for verifying the identity of the users who use it. This could be done using a Domino® Web server HTTP user name and password. Or, the application itself could handle the authentication, for example, by using LDAP directory server authentication or by posing personal questions to users.

Domino® comes with a sample self-service application that uses the ResetUserPassword method in a LotusScript® agent that you can customize for your environment.