Password Recovery Using Challenge Questions

This section guides you through setting up password recovery for users to recover a lost or forgotten password. There are two methods of password recovery:

Recovery using notifications
Recovery using challenge questions

This document guides you on setting up recovery using challenge questions. For instructions on recovery using notificatios, see Password Recovery Using Notifications.

From 5.3.0 onwards there is a new implementation for identity management features. The steps given below in this document follows the new implemenation which is the recommended approach for password recovery.

Alternatively, to see steps on how to enable this identity management feature using the old implementation, see Password Recovery documentation in WSO2 IS 5.2.0. The old implementation has been retained within the WSO2 IS pack for backward compatitbility and can still be used if required.

Recovery using challenge questions

The WSO2 Identity Server provides an alternative means of recovering passwords. This is by using challenge questions. If users forget their password, they can recover it by answering challenge questions that were set up for their accounts.

Before setting this up, you must configure the required claims for this feature. To do this, do the following.

Enter your username and password to log on to the Management Console.
Click on Resident found under the Identity Providers section on the Main tab of the Management Console.
Expand the Account Management Policies tab, then the Account Recovery tab and select the Enable the Security Questions Based Password Recovery checkbox.
Configure the required number of questions in the Number of Questions Required for Password Recovery.
Optionally, select the Notify when Questions Based Recovery Starts checkbox to send an email notification to the user when the question based recovery starts.

You can set up challenge questions for users in one of the following ways:

Using the management console

To set up challenge questions or to manage the questions with different locales (languages), see Managing Challenge Questions.

Using the end user dashboard

To try this out, first create a user in the Identity Server.

On the Main tab in the Management Console, click Add under Users and Roles.
Click Users. This link is only visible to users with the Admin role.
Click Add New User.
Log out of the Identity Server.
The URL for accessing dashboard is the following if the hostname is localhost and the Identity Server is running on port 9443: https://localhost:9443/dashboard/. Click this link to access the dashboard and log in using the credentials of the user you just created.
Click the View Details button under the Account Recovery section in the end user dashboard.
Set challenge questions for the user account. There are two sets of challenge questions by default. You can pick one question for each set and give an answer for the question.
Click Update.
Sign out of the dashboard and click Forgot Password on the login screen.
Enter the username and select Recover with Security Questions. Click Submit.

Tip: If you have configured WSO2 IS to use email address as the username, enter the username in the format of "john@foo.com". If the user is in the super tenant, this is in the format of "john@foo.com@carbon.super". If the user is in the tenant bar.com, the format you must enter is "john@foo.com@bar.com".
Enter the answers to the challenge questions and click Submit.
Enter a new password and click Submit. You will receive a notification of successful password reset.

For information on the REST APIs for password recovery using challenge questions, see the swagger docs on Account Recovery REST APIs.

To set up reCaptcha for password recovery with secret questions, see Configuring reCaptcha for Password Recovery Flow.
By default, the claim values of the identity claims used in this feature are stored in the JDBC datasource configured in the identity.xml file. See Configuring Claims for more information on how to store the claim values in the user store.