FIM lets users reset their passwords only after authenticating them against answers to commonly asked security questions that they registered with.
One major complaint about FIM 2010's QA Gate implementation is that it does not allow ITPro to specify some sort of validation or policies on the answers. It's possible that users might enter "abc" for all questions and some believe that is a security concern. (In fact, I used to use 1 for my answers during testing because the keyboard sequence "1<tab>1<tab>1<tab>" is the easiest on the keyboard.)
QA Gate Enhancement
We heard your feedback loud and clear. Thus we are making a few changes to FIM 2010 R2, namely:
- Disallow duplicated answers
- Apply a custom regular expression on the answers for validation for all answers per gate
Below is a screenshot of the QA Gate Configuration from the workflow designer (aka BPM Designer)
How Does It Work?
Some of you might ask, "Wait, isn't the answer hashed in the client? How is this possible?" First, Congratulations and well done on knowing password reset in depth. 🙂
To achieve this validation on the server side, now the answers are sent to the server in un-hashed over a WCF channel protected with message-level encryption (Nothing is changed in the channel itself. We are just changing the payload at the application layer)
This check is only enforced during registration phase and the answers are still stored hashed in the database.
To make sure the policies are enforced by default, registration from FIM 2010 clients are disallowed. There is an option at the bottom of the configuration to let you run FIM in hybrid mode during the transitional upgrade period. In that case, FIM 2010 clients will be able to register and bypass the policies, while registrations originating from FIM 2010 R2 clients will have the policies enforced.