Security Options: Password Reset Feature

Users can reset their passwords without having to rely on their administrators to do it for them. The password reset process sends an email to the user with a link and an encrypted token embedded in the text of the email for the user to follow. The process uses the email address stored in the User Info for each user.

Firm Configuration

The password reset capability is Firm selectable, so the Firm administrator must turn it on in Firm Configuration for the users to be able to take advantage of it. Users that try to use it without the option being turned on for their firm will get a notification that it is not available for them. The Firm Configuration option exists under the General Options tab as follows:

Password Reset Process

The password reset feature is accessible via the Forgot Password? link on the login page.

After the user clicks on the Forgot Password link, a prompt appears for the user’s Login ID, Firm, and Location.

The user must enter all requested information and then press the Get Password button. The user will then see a dialog containing the current email address stored in the system for the user and asking the user to confirm the email address.

Users who do not have an email address stored in the system will receive a dialog stating this and suggesting they contact their administrator.

Once the user has confirmed the email address and has clicked Continue, that user will receive a dialog that an email has been sent:

For security reasons, the password reset process must be completed within the two hours as seen above. There is a temporary token associated with the request and it will expire after two hours. After the two hours have passed and the temporary token has not been used, the password reset process must be restarted.

The user will receive an email with instructions similar to the following:

Clicking the link within the email brings the user to a page to enter the Login ID, Firm, and Location:

If the link does not work, as the email states, the user can copy and paste the URL into the browser. This will take the user to a slightly different page with an additional field to enter the temporary token:

After selecting Continue, the user can then enter a new password:

A final dialog will display as confirmation that the password reset was completed:

A confirmation email is also sent to the user after the process is complete:

Multiple Use Token

The password reset link/temporary token can only be used one time. A user who tries to use it a second time will get the following error message:

History Records

History records are written for the user when the password reset has been requested and also when the password reset process is complete.

Special Situations

Locked Out If a user is locked out after having entered the wrong password too many times, the user is allowed to use the password reset feature. Once the password reset process is complete, the user will no longer be locked out.

Disabled If a user is disabled, meaning an administrator has disabled the Login ID within Access Control, that user will not be able to use the password reset feature as long as the Login ID is disabled.

RS Resources/exp_security_1.htm/TY2021

Last Modified: 03/19/2020

Last System Build: 09/25/2022