Free Trial and Password-2FUsername Recovery Flows (3).pdf (33.3 KB)

Looks good to me Stefanie .

Also, an additional element came up to today that we'll need to deal with. For some of our larger institutional subscribers, particularly academic accounts, we setup a universal account that is accessible by all users within that organization when they are unable to access the network and login through IP access. We change the passwords on these accounts every 6 months. Currently, this is done manually by Marysia and the updated password is sent to the subscriber by email. However, we would like to replace this with an automated system, similar to what you've suggested above. Do you have any suggestions on how we deal with this problem?

Thanks,

Morgan

Let me think about this and consult with Ryan and Mel too and we'll propose a solid solution for this. 

Great. Thanks Stef.

Morgan

Hi Morgan , When Marysia send them a new username and password, I she just sending it to a group manager who is then responsible for sending it to all of the ISLG users in their org? 

Hi Stefanie ,

Yes, Marysia sends it to an administrator, and then they're responsible for distributing the credentials internally.

Thanks,

Morgan

Morgan

Here's the easiest and most secure solution: The admin (ISLG) if the group manager should receieve automatic password reset warnings. If they do, they'll receive an email to reset their password and they'll have 7 days to do so before their current password expires (let me know if this timeframe works for you).

Attached is the workflow that illustrates this.

I've also attached the potential email the group manager could receive.

Here's a a way that we could fit this functionality into the current admin side: https://invis.io/M9G7YYF7DFZ#/283634065_No (if you don't require more than one frequency, we will simply notify the admin)

Email- Automatic Password Reset .pdf 39.4 KB • Download

Free Trial and Password-2FUsername Recovery Flows (2).pdf 31 KB • Download

Let me know what you think.

Hi Stefanie ,

What you've outlined above sounds appropriate. The only questions is what exactly happens when 7 day lapses and the password expires? Would this deactivate the entire account, or just make the old password invalid. I am concerned about the former, because these accounts are typically the accounts where we also provide IP access, and I wouldn't want to disable IP access when an administrator neglects to update the password. 

Thanks,

Morgan 

Hi Morgan I was thinking that just the old password would expire and the rest of the account would remain in tact. That said, if you're not so concerned about users not changing their password (perhaps you could follow up with these cases manually), we don't have to expire their password. 

Ok. Sounds good Stefanie . Just having the password expire without affecting the rest of the account makes sense. Let's proceed on that basis. 

Note that we'll need to figure out how we configure this within the existing subscriber management systems given that passwords don't currently expire, and the only way to prevent access is through manually deactivating the entire account.

Thanks,

Morgan

Thanks - I'll factor that into the specs for Anil. 

Morgan I've incorporated the Group manager invitation flow into our document with some corresponding 'wireframes' to show where in the existing application this will appear and also the corresponding email. I've factored in a case where the group manager can resend the invitation to t a user who doesn't respond.  

Prototype: https://invis.io/Q6G8Q6DCWA2#/283887116_ISLG_Home

FreeTrial_PasswordReset_UsernameRecovery_InviteUser Flows_Mar8.pdf 33.3 KB • Download

Hi Stefanie ,

The above looks good. I added a comment in one of the wireframes for a typo in the copy for the email.

Thanks,

Morgan 

Thanks - fixed!