Recovery with Secret Questions

As an alternative to recovering passwords using Recovery with Notification, the WSO2 Identity Server also supports recovery using secret questions. Follow the instructions below to configure this. 

1. Edit the <IS_HOME>/repository/conf/security/identity­-mgt.properties file with the following configurations.

   Identity.Listener.Enable=true
   Notification.Sending.Enable=true
   Notification.Expire.Time=3
   Notification.Sending.Internally.Managed=true
   UserAccount.Recovery.Enable=true
   Captcha.Verification.Internally.Managed=false

   See the following table for descriptions of these configurations.

   Configuration	Description
   Identity.Listener.Enable=true	This enables the identity listener.
   Notification.Sending.Enable=true	This enables the email sending function when recovering the account and verifying the user creation.
   Notification.Expire.Time=3	The time specified here is in minutes. In this case, the recovery expires after three minutes.
   Notification.Sending.Internally.Managed=true	This enables the internal email sending module. If false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.
   UserAccount.Recovery.Enable=true	This enables the user account recovery process.
   Captcha.Verification.Internally.Managed=false	Set this to true if you do not have an existing captcha validation module.

2. Login to the management console and navigate to Configure>Claim Management>http://wso2.org/claims/.

3. Ensure that the default challenge question claim URIs, Challenge Question 1 and Challenge Question 2, are mapped with the correct attributes in the underlying data store. 

4. Invoke the UserIdentityManagementAdminService API and set the challenge question for a user using the setChallengeQuestionsOfUser service. The WSDL for this service is as follows: https://localhost:9443/services/UserIdentityManagementAdminService?wsdl.

The following sequence of service calls for recovery with secret questions, uses the UserInformationRecoveryService: https://localhost:9443/services/UserInformationRecoveryService?wsdl.

1. getCaptcha() ­- Generates a captcha.
2. verifyUser() ­- Validates the captcha answer and username and returns a new key.
3. getUserChallengeQuestionIds() ­- Retrieve the cliam URI IDs specified for the user with the generated key. Need to provide the key from the previous call.
4. getUserChallengeQuestion() ­- Retrieve the user’s challenge question for the specified claim URI ID from the previous call. Need to provide the key from the previous call.
5. verifyUserChallengeAnswer() ­- Validates the answer and confirmation code for the specified question. Need to provide the key from the previous call.
6. updatePassword() ­- Updates the password in the system. Need to provide the key from the previous call, the new password and return the status of the update, i.e. true or false.

The password recovery flow should be used for the two challenge questions as follows: 

• Get the captcha using the getCaptcha()operation and provide the captcha details with the username to the verfiyUser() operation. 
• You will receive a code with the call. 
• After the verification, you can get the challenge question IDs using the getUserChallengeQuestionIds() operation, which returns the defined claim URIs along with a code. 
• Retrieve the question for the user with the getUserChallengeQuestion() operation using the code you received. 
• You can define two steps to answer the challenge questions in your web application in order to maximize security.  
• The verifyUserChallengeAnswer() operation is used to verify a particular answer for a question. If both answers are correct, you can call the updatePassword() operation to change the user password.