Password Reset Workflow and UI

We recently received some pentest results that flagged the password reset workflow as being vulnerable to user enumeration. When a user attempts to reset a password we get one of two responses.

If the account doesn't exist, "Password self-service is not available for the user" is returned. If the account DOES exist, you're immediately propmted with your security questions. This will allow an attacker to identify valid accounts in the domain.

Are there any setting available in 2023.2 that will chang the UI and workflow to something like, "If the account exists, you will receive a password reset link in your email" and require that link to access the security questions/reset workflow?

ago by (100 points)

1 Answer

ago by (310k points)
0 votes

Hello,

Unfortunately, there is no such possibility in Adaxes 2023.2. However, starting from Adaxes 2025.1 you first need to enter a valid username. Only after that there is a possibility to start the verification for password self-service. On the username step, brute force protection settings apply. For details about the settings, have a look at the following tutorial: https://www.adaxes.com/help/PreventBruteForceAttacks.

Related questions

Passwordless and password reset

Hello We are evaluating Adaxes for our consulting company and for our customers as well. Our company is fully password less today. Our production setup works with FIDO2+PIN ... confirmation is visible Is it something we can achieve with Adaxes? Thanks a lot

asked May 24, 2021 by ygini (240 points)
0 votes
0 answers
Reset users password and send it on SMS

Hi, In a previous installation of Adaxes, we were able to reset users passwords, and send it automatically by SMS to the user. When we try to do the same in Adaxes 2018. ... when we reset a users password. A similar SMS works just fine when we create the user.

asked May 23, 2019 by eirikza (120 points)
0 votes
1 answer
HTML Password Self Service Invite and Password Reset emails

Hello, I have a nice branded HTML email I'd like to use for the Self Service Invite and Self Service Password reset Emails. Is it possible to use HTML in the test fields under ... text so I'm guessing I can't but figured I'd ask rather than assume! Thanks!

asked Nov 19, 2015 by drew.tittle (810 points)
0 votes
0 answers
Password Reset Questions and Answers

Hello Support, Are the self service questions and answers stored securely? Are they stored in the Adaxes database or in Active Directory? Thank you!

asked Nov 17, 2014 by strikk (360 points)
0 votes
1 answer
How to provide a button in web UI for Admins to reset Q&A for users enrolled Self-Service portal

would like to know the method to provide a button to security Q&A reset for enrolled users to Adaxes Admins via Web UI

asked Mar 21, 2023 by Vish539 (500 points)
0 votes
1 answer