1) Revise layout, text, conditions, and logic on existing Account Verification page to improve password recovery process:
- Revise the page layout and update the prompt text as follows:
- Keep the onscreen text, "We found an existing account based on the information you entered. "
- ADD a line of additional text immediately below it to read: "Please select one of the following options:"
- REMOVE the Security Questions text input fields from the screen and REPLACE WITH the two radial button response options, shown in blue below:
We found an existing account based on the information you entered.
Please select one of the following options:
(radio button) Send me an email link to reset my password.
(radio button) Access my account by answering security questions.
- ADD a "Help" link and "Continue" button below the text and radio buttons options box on the lower right (see screen shot).
- Place the existing "Help" link left of the "Continue" button.
- Place "Continue" button below text/options area with logic to initiate whatever process the user selects (email or security questions).
- Keep all existing CSS styles and Account Verification page attributes, such as the page title (Account Verification), Sign-In button (left side bar), the "Cambiar A Espanol" button, header, and footer, in their current positions;
- Add new Conditions to initiate actions triggered by user response to radio button options:
- If user selects Option #1: "Send me an email link to reset my password", then:
- Send "Password Reset Email" message to user <email> account with secure, time-sensitive, random URL
- Display "Password Reset Email Sent" page with "OK" button to sign out.
- If user selects Option #2: "Access my account by answering security questions." then:
- Roll up text and radio button options below text "We found an existing account based on the information you entered."
- Display Security Questions input fields and "Continue" button to initiate existing field error validations.
Breakdown of New Account Verification Page Conditions
|IF user selects Option 1: "Send me an email link to reset my password"||Clicking on radio button #1 and clicking "Continue"|
- Send "Password Reset Email" message with unique URL to Reset Password page to user's <email> address in Account;
- Display "Password Reset Email Sent" confirmation page.
|User clicks on "OK" button on "Password Reset Email Sent" confirmation page||Clicking "OK" on confirmation page|
- Sign user out of active session.
|IF user selects Option 2: "Access my account by answering security questions."||Clicking on radio button #2 and clicking "Continue" |
- Roll up text and radio buttons below, "We found an existing account based on the information you entered." and display Security Questions response input fields.
|User clicks on "Continue" after entering responses to Security Questions||Incorrect answers|
- Maintain all existing logic and validaton for incorrect responses to security questions
|User clicks on "Continue" after entering responses to Security Questions||Correct answers|
- Maintain existing logic and recovery workflow process currently in place after correct responses are entered for security questions (i.e., display "Reset Password" page).
2) Show Security Questions input fields and change layout, text, and button position on the Account Verification page when user selects Option #2:
- If user selects Option #2: "Access my account by answering security questions.", remove text and radio button options (see section identified in Screenshot B below) and display security questions, additional text, buttons and links.
- Change text on button from "Continue" to "Access Account"
- Ensure "Access Account" button and "Help" link are located under the main body of the text and options box in the lower right.
- Maintain "Cambiar A Espanol" in it's current position - upper right above main body of the text and response options.
to this to this
3) Requirements for Option #1: Send "Password Reset Email" message with unique URL link and display "Password Reset Email Sent" confirmation page.
If user selects Option 1: "Send me an email link to reset my password" from the Account Verification page, THEN, initiate the following requirements:
- Send "Password Reset Email" message with unique URL link* to user's <email> address stored in OpenCCC Account.
Use the following text in the body of the email
You recently requested to reset your OpenCCC Account password. Click the link below to reset it.
< randomly generated, unique, time-sensitive, authentication URL link to password reset >
For security reasons, this password reset link will expire in 24 hours.
If you did not request a password reset, please ignore this email or contact the CCC Helpdesk to let us know.
For assistance, contact the CCC Helpdesk
Email Subject line: Your Password Reset Request
- Generate unique "password reset URL link" and merge into "Password Reset Email" message with the following attributes: (Notes from Jeff Holden 6/14/16:)
- Generate a random (unique string at the end of the URL) something that shows authentication of user (one time use pass to give that person the email.)
- URL itself would have to be a random string - built-in logic to cut the process (cut the IP address) to disallow more than 15 attempts if someone is trying to brute force the system, (Per Jeff, brute forcing would take 100,000 attempts, so 10-15 attempts within 60 seconds (store no longer than a minute and discard) is allowable.) Attempt row or db to track who's attempting brute force (we don't want to store this forever).
- Developer would have to create a database table to capture (URL sent, time it was sent and the CCCID that it was sent to) so that the app knows that the URL link is authentic and was sent to that person within time limit against their CCCID).
- URL link will time-out 24 hours after email message is sent to user's <email> address"
- Add logic to expire URL after 24 hours (User will have to retrieve the link, click and follow the link, and choose a new password before the link expires (24 hours after URL is generated and email is sent).
NOTE to Developers: It's very important that the User is redirected back into the same workflow they started from. Patty will work with Parker and Josh to describe the goals and objectives for this feature to get assistance articulating all requirements for the URL attributes. Similar to the proxy process, we want the user to have a user-friendly, effective, account recovery experience from start to finish. After the email link is clicked on from the user's email account, they should be taken right into the Reset Password page and after new password is created and user logs in - they should be signing in to the application they originally intended to get to when they started account recovery.
4) Display "Password Reset Email Sent" confirmation page with the following onscreen text and button links:
- Create and display new page, "Password Reset Email Sent" with the following text and buttons.
- Page header should be: "Password Reset Email Sent"
- The following text should appear in the text box:
A password reset email was sent to <email>
Follow the directions in your email to reset your password.
If you don't find your email, please check your Spam folder.
- Add an "OK" button in the lower right below the text box.
- Add the "Help" link on the left, just adjacent to the "OK" button
- Ensure the Cambiar A Espanol button does not appear on the page.
- Link the "Help" link to the existing Help page that currently appears on the Account Recovery, Account Verification, and other pages.
- Enable the "OK" button to sign the user out of active session and display secure sign out page.
NOTE: Very important that the user is returned to the application they were originally trying to get to before account recovery (i.e., if user started process from a BOG application URL, hit Shib and couldn't remember password and initiated account recovery/password reset using email URL link, after new password is created and confirmed, user is returned to Shib Sign In page and upon successful signin will land on the BOG My Appliications page. The URL attribute for the BOG application will be included in the email URL, including their CCCID.
#5) Add UI page for when the reset link expires (after 24 hours).
1) Page would appear if the user clicks the URL after 24 hours
Password Reset Link Expired. (Bigger Font Size)
Your OpenCCC password reset link has expired.
Click "Continue" to return to the Account Verification page to request a new email link.