Password-related features
17.5.5.1. Password-related features (JSP-Loginapp migration)

The following table provides information about the availability of JSP-Loginapp features in the Loginapp REST UI and high-level migration hints (where available).

Information about the availability of upcoming releases is indicative and subject to change.

Please note the additional information on discontinued functions (see link below).

Version information about features not yet available will be updated or clarified as soon as known.

Note that the specified release versions are indicative and subject to change.

The following notation is used to indicate release versions (examples):

  • 7.7: planned for IAM 7.7
  • > 7.7: planned for an IAM release after 7.7
  • >= 7.7: planned for IAM 7.7 or later

Check password

Feature
Version
Description and migration hints
Check password on database
7.3
Check password against database using IAM hash functions.

Migration hint

Combine the following plugins in the authentication flow:

  • Password Authentication Step
  • In-Memory Password Repository
Check password with LDAP server
7.3
Check password against an LDAP directory.

Migration hint

Combine the following plugins in the authentication flow:

  • Password Authentication Step
  • LDAP Password Repository
Check password with MSAD
7.3
Check password against an MS Active Directory.

Migration hint

Combine the following plugins in the authentication flow:

  • Password Authentication Step
  • Active Directory Password Repository
Username-dependent password check
7.3
Username determines how to check the password.

Migration hint

Combine the following plugins in the authentication flow:

  • Password Authentication Step
  • User Based Selection Password Repository
Check policy on login
7.3
Check if the password policy is met when checking passwords during login. This may be used to force a password change to meet new policy requirements.

Migration hint

Set property Policy To Check On Login in plugin Password Authentication Step in the authentication flow.

Check password with RADIUS server
(AI-13443)
7.7
Check user passwords by calling a 3rd party RADIUS server as done by the RADIUS Authenticator plugin.
Password frequency checker
on request only
Heuristic detection of horizontal password guessing attacks (Attack Detector settings in JSP-Loginapp).
Check password against configuration
(AI-13444)
on request only
Check username and password against a list of users and passwords stored in the configuration.

Change password

Feature
Version
Description and migration hints
Mandatory password change
7.3
Force the user to change the password during the login process.

Migration hint

Use plugin Mandatory Password Change Step in the authentication flow.

Password change without old password
7.4
If the password change is performed during the login process, the old password does not need to be entered again (if enabled in configuration).

Migration hint

Use the property Old Password Required in Mandatory Password Change Step >> Mandatory Password Change Config (in the authentication flow).

Voluntary password change
7.4
Password change self-service for authenticated users.

Migration hint

Define a password change flow in

Loginapp >> Protected Self-Services >> Protected Self-Service Flows

and use the pluginPassword Change Self Service Step.

Password change button on login page (AI-13446)
7.7
Show a password change button on the login page, so users can choose to log in and then change the password.
 

Password reset self-service

Feature
Version
Description and migration hints
Password-reset self-service
7.3
Password reset self-service in general.

Migration hint

Define a flow in User-Self-Service Settings >> Password Reset Flow.

User verification: OTP via email
7.3
To verify the user identity, send an OTP via email. The user types in OTP in the same browser session.

Migration hint

In the password reset flow use the E-Mail Identity Verification Step.

User verification: Link via Email (AI-13448)
7.7
To verify the user identity, send a link via email. The user clicks on the link. The verification may take place in a new browser session. The link may also originate from the Adminapp issued by the helpdesk.
User verification: Secret questions
7.3
To verify the user identity, ask for answers to secret questions.

Migration hint

In the password reset flow use the Secret Questions Identity Verification Step.

User verification: mTAN/SMS
7.3
To verify the user identity, send an OTP via SMS to the user and verify it (in the same browser session).

Migration hint

In the password reset flow, use the SMS Identity Verification Step.

User verification: based on auth method
7.3
Choose one of the above user verification types based on the user's current authentication method.

Migration hint

In the password reset flow, use a Selection Step for Password Reset with a condition involving the Active Authentication Method plugin.

2nd-factor check Airlock 2FA
7.4
Use Airlock 2FA as a 2nd-factor check in the password reset flow.

Migration hint

In the password reset flow, use the Airlock 2FA Factor Step.

To select one of multiple 2nd-factor, use the Selection Step for Password Reset with a corresponding condition (e.g. Active Authentication Method).

2nd-factor check Cronto
7.3
Use Cronto as a 2nd-factor check in the password reset flow.

Migration hint

In the password reset flow, use the Cronto Factor Step.

To select one of multiple 2nd-factor, use the Selection Step for Password Reset with a corresponding condition (e.g. Active Authentication Method).

2nd-factor check mTAN
7.3
Use mTAN (SMS) as a 2nd-factor check in the password reset flow.

Migration hint

In the password reset flow, use the mTAN Factor Step.

To select one of multiple 2nd-factor, use the Selection Step for Password Reset with a corresponding condition (e.g. Active Authentication Method).

Restriction providers
7.3
Restrict the password reset feature to users with certain properties (e.g. locked users).

Migration hint

Use the property Restrictions in the Password Reset Flow plugin.

Feedback if user does not exist (user enumeration protection)
7.3
Configure feedback given to the end-user in the case that the specified user does not exist. This can be used to either enable or disable user enumeration protection.

Migration hint

Configure plugin Default Password Reset Restrictions in the property Restrictions in the Password Reset Flow plugin.

Username transformation
7.3
Transform the user name provided by the end-user.

Migration hint

Use property Username Transformers in the Password Reset Flow plugin.

CAPTCHAs (AI-13449)
7.7
The end-user must solve a CAPTCHA before being able to start the password reset flow.
Order password letter
7.4
Option to let the user order a new password letter instead of setting a new password.

Migration hint

In the password reset flow, use the Password Letter Order Step (Password Reset) plugin.

Combine it with a Selection Step for Password Reset to give the end-user a choice.

Other features

Feature
Version
Description and migration hints
Password hash functions
7.3
All password hash functions of the JSP-Loginapp are still available and can be configured in the corresponding flow steps.
Password policy checks
7.3
All password policy checks of the JSP-Loginapp are still available and can be configured in the corresponding flow steps.
Show link to password reset self-service
7.3
Show link to the password reset self-service on the login page (if the service is enabled).

Migration hint

Go to
Loginapp >> UI Settings >> Authentication Flow UIs >> UIs.

In the affected Authentication & Authorization UI plugin, add a custom step UI of type Password Authentication UI (for the affected authentication step).

In the Password Authentication UI plugin, set the Password Reset Flow Link.

Show link to self-registration
7.3
Show link to the user registration self-service on login page (if the service is enabled).

Migration hint

Go to
Loginapp >> UI Settings >> Authentication Flow UIs >> UIs.

In the affected Authentication & Authorization UI plugin, add a custom step UI of type Password Authentication UI (for the affected authentication step).

In the Password Authentication UI plugin, set the UUser Self-Registration Link.

End-to-end encryption (UI only - AI-13077)
On request only
End-to-end encryption support in the web UI.
The Loginapp REST API supports password end-to-end encryption. The feature is thus available for custom web UIs but not yet for the Loginapp REST UI.

Discontinued features:

See Password-related (discontinued features).