Password letters

End-user passwords must be set or reset on several occasions, for example, when onboarding a new employee, if an end-user's account gets compromised, if the end-user has forgotten their password, or during a self-registration procedure.

The (re-)setting of a password can be achieved in two ways:

  • The end-user can reset the password themselves, in public or private self-service flows. In this case, the respective flow must include a Password Reset Step.
  • Or via the password letter, which provides end-users with password credentials in PDF files. This option requires the Password Letter Order Step plugin.

It is more common to let end-users set their new passwords themselves. The decision to use password letters instead is a trade-off between security requirements and costs. Letters provide a high level of security. However, sending letters is expensive. If a password letter is lost or stolen, help desk support may be required, which is costly, too.

Ordering of password letters

Password letters are ordered, either manually by administrators or automatically in the user self-service flows.

The ordering of password letters may happen:

  • In authentication, public and private self-service flows, such as the password reset flow, the unlock self-service flow, the voluntary password change flow or the self-registration flow.
  • In the Adminapp, by an administrator or help desk staff, for example as part of a new employee's onboarding process. The help desk staff or administrator can
    • Order the password letter by clicking Order password letter in the user's details page. The actual generation of the letter happens with the Password Letter task, which can be scheduled regularly. See further below for more information.
    • Directly print the letter, by clicking Direct print in the user's details page. This option is only available if you have configured a Renderer in the Password Generator plugin.

Most configurations include password letter ordering in the Adminapp. Ordering and generating password letters during flows, however, requires a Password Letter Order Step to be configured. See below for more information.

Password Letter task

Ordering a letter in flows takes place in the background, without user interaction, via the Password Letter Order Step. The actual letter generation happens with the Password Letter task. This task can be scheduled regularly.

 
Notice

In the following cases, you do not need the Password Letter task to produce a password letter:

  • If you have configured a Renderer in the Password Generator plugin. This will display the Direct print button in the Adminapp, allowing an administrator or help desk staff to directly print the letter for the user when generating the new password.
  • If a customer gets the letter orders per REST API and renders the letters themselves.

The generated password letter is stored locally as PDF. It is up to the customer how to deliver the letter to the end-user, e.g., via postal services or email. The end-user can reset their password after receiving the letter, the next time they log in to the application. Note that the password in the letter can be used only once. The end-user must immediately set another password.

Configuring the ordering of a password letter in flows

This section explains on a high-level how to configure password letter ordering in authentication, public or protected self-service flows.

Steps to perform

  1. Add the Password Letter Order Step plugin to the relevant step in the relevant flow. For an example, see Complex password reset flow example
  2. Set the Password Letter Order Interval Condition as Skip Condition in the Password Letter Order Step. This prevents end-users from ordering multiple letters within short periods of time.
  3. If required, define a schedule that regularly triggers the Password Letter task. For this,
    1. Go to:
      Service Container >> Services >> Task Scheduler Config >> Service
    2. In the Tasks section, select the predefined Task Schedule - Schedule for Password Letters plugin and set a suitable execution interval in the Interval field (the default setting is never).
  5. The password letters are based on report templates in Word format. For information on letter templates, see Report templates based on Word documents.