Accounts' security - disable security question?

Dmitry_Shatilov · ‎09-22-2022

Hi everyone,

I have just installed Portal for ArcGIS 10.9.1. I have created a test user and when I tried to login with this account, portal didn't ask me to change the password (like it normally does in ArcGIS Online). Instead, it prompted me to set up a security question...Is there a way to configure portal to act like ArcGIS Online - if a user logs in for the first time, the system will force him/her to change the password? Also, if I try to recover the password via email, the portal asks me to answer the security question. Is there a way to disable security questions?

What I am trying to achieve is a self-managed accounts system, where I will only be (via some scripts) setting up users accounts. Then, if they forget the password, they can recover it by themselves. If I have security questions enabled, it kind of defeats the purpose as most of the users won't remember both the password and the answer to the questions and end up contacting me, which means that I will have to manually setup a new password.

I hope that makes sense.

Thanks a lot in advance!

Dmitry

RyanUthoff · ‎09-23-2022

To my knowledge, that is not going to be possible. I also just installed 10.9.1. You can configure email with Portal, where if a user forgets their password, they can reset it. They will receive an auto email from your Portal to reset it. However, they MUST answer their security question.

I'm going to argue that having security questions does not defeat the purpose of anything. Security questions are designed to be remembered easily. If a user cannot remember their own security question (for example, the city they are born), then I think you might have some bigger problems with your users.

And to my knowledge, there is not a way to ask the user to change their password upon logging in for the first time like AGOL. What you might be able to do is set their password upon creating their account, then immediately resetting their password and sending that to them. Then, it should ask them to set a new password (that's how it works with 10.6.1, haven't confirmed with 10.9.1).

AndreaB_ · ‎03-14-2024

How weird that Portal doesn't ask the user to change their password!! When I'm setting up a new built-in portal member it even says "You must inform the member of their username and password. The temporary password must meet the minimum strength requirements." Nothing temporary about it!

version 11.1

ABeavers · ‎11-09-2022

We have a similar issue. We manage user entry to our system via a login screen. That login hits Portal for authentication. However, unlike logging into Portal for the first time, when our users log into our system, they are not prompted to create security questions. As a result, if they forget their password they can't retrieve it as Portal wants to prompt them for answers to their security questions, but those were never set. So there's no way for a user to reset a lost password. This seems to be a significant flaw in the architecture of Portal as it precludes the use of a login screen for our (and I presume many other systems') users.

We discussed this with ESRI and their response was to have users log directly into Portal the first time they log in. Portal does prompt them to create security questions and after that they should (in theory) be fire. We're trying that, but it's a workaround, not a solution, and it's pretty ugly. It doesn't make us, or ESRI, look good to our users.

I suggest ESRI consider functionality that allows the same functionality for custom login pages that are hitting Portal for credential authorization as is provided for those directly logging into Portal (i.e. it prompts users to set up security questions upon their first login).

Dmitry_Shatilov · ‎11-24-2022

I feel your pain, mate. We are considering using Okta to avoid that drama with security questions and whatnot...