2015-26: New OpenCCC Account Recovery Option: Password Reset by Email Link
Problem Statement or Business Need
The OpenCCC Helpdesk reports an increase in /wiki/spaces/OPENAPPLY/pages/120619069, primarily Username & Password reset issues. In 2015, the percentage of incoming account recovery calls rose to 6.13%, up from 4.3% in 2014.
The current Account Recovery process requires users to answer security questions to recover/remember their *Password* in order to retrieve their login credentials to signin to OpenCCC account. Often times (X%) the process fails because the student cannot remember their security questions, resulting in calls to the Helpdesk for assistance. At that point, the Helpdesk either helps them regain entry to their security questions or asks them to create a new account. Our system-wide project goal is to minimize duplicate accounts across the system.
Objectives
- Enhance our existing Account Recovery process with minimum amount of changes to existing pages and code as possible to allow Users an alternate way to access their account when they forget their passwords (besides answering security questions).
- Development will use existing pages and processes wherever possible.
- No changes will be made to the Username recovery process.
*Ensure that the user experience is user-friendly, cohesive and complete - from where the user starts the process (Apply, Bog, iA or CAI, or Portal) through the full account recovery process and land on their original destination.
Proposed Solution
mplement new functionality in the account recovery process allowing user to "Reset Password" by way of a secure Email Link sent directly to the Users <email>. The existing Account Verification page will be revised to include two options (radio buttons) to initiate recovery:
- Send Secure Email Link: send an email to User containing a secure, time-sensitive URL link and simple, minimal text instructions. When the User clicks on the link in the email she is taken directly to the Reset Password page to create a new password. Once the User has new password, she clicks "Continue" to complete the rest of the existing Account Recovery process. (The email link process will land the user on the Reset Password page (in the existing account recovery workflow). No changes are made to the remaining account recovery workflow.)
- Answer Security Questions: display two Security Question text input fields on the revised Account Verification page (conditional display). When both security questions are answered correctly, User is taken to the Reset Password page to create a new password and complete the rest of the existing Account Recovery process.
Redesign the Account Recovery / Reset Password functionality in two phases:
Phase I; Redesign Account Recovery page to inlude two options: 1) Request email with link to recover password: and 2) maintain our exisint security questions option (using same sequence as we use currently).
Phase iI: Add an addtiiona option to send user an SMS Text message with a temporary password - whcich would be reset once they enter Password reset page.
User Stories
Phase I: As a student user, I want an alternative option to reset my Account password in addition to the existing security questions optoin. I want tto be able to request an email with a link in it to recovery my password. The email should be simple, clean with minimal wordsThe email should have a link in it that takes me to the existing Password Reset pageAdd email llink option to the exisint account recovery page
- As an OpenCCC Account user, I want a 100% self-service, online account recovery process available, 24/7.
- As an OpenCCC Account user, if I forget my Password during the Sign-In process, I want more options available to reset my Password so I can access my account.
- As an OpenCCC Account user, I want to be able to recovery my forgotten username or password without calling the CCC Helpdesk for assistance.
- As an OpenCCC Account user, I want multiple ways to reset my password and access my account besides answering security questions.
- As an OpenCCC Account user, I want a secure Reset Password link sent to me in an email when I forget my password during Sign-In.
- As an OpenCCC Account user, I want to ensure that I am taken back to the application, URL, or portlet that I started the recovery process from after I recovery my account.
Requirements Summary
# | Title |
---|---|
1 | Revise text and layout of the Account Verification Page to display two radio button response options for password reset: 1) send an email with secure, unique link to Reset Password page; and 2) show security questions to get to Reset Password page. Page includes "Cambiar A Espanol" button, spanish hover help for both options, a "Help" link to existing Help page and a "Continue" button to initiate process based on option selected. |
2 | Add logic for: IF user selects "Option 2: Access account by answering security questions" on Account Verification page, THEN:
|
2A | Ensure all existing account verification and account recovery logic, conditions, and validaton remain in place for answering security questions (number of attempts and validation), |
3A | Add logic for: IF user selects "Option #1: Send me an email link to reset password" on Account Verification page, THEN
|
3B | Develop secure, unique, randomly-generated, time-sensitive URL link that will allow User to link directly into the "Password Reset" page from email account. URL will expire 24 hours after user initiates the process by selecting Option 1 and clicking "Continue" on Account Verification page. |
3C | Implement a system to log all IP addresses from attempts to reset password in a temp table with a timestamp to track IP. If there are 15 request in the course of a minute, then add the IP to a banned IP field in the database that is checked on each request. We will need clean up processes to delete these temp fields after an hour or so, we don't permanently ban IP address that maybe assigned to another person. |
3D | Create and display "Password Reset Email Sent" confirmation page with "OK" button and "Help" link. |
4 | Create and display 'Password Reset Email Link Expired" page - if user attempts to access link after 24 hours, with language and continue button to return the user to the Account Verification page to start the process over. |
5 | Add Spanish hover help text for radio button options on revised Account Verification page. |
6 | Update specs: OpenCCC Account Data Dictionary - (TBD) |
Change Specifications
1) Revise layout, text, conditions, and logic on existing Account Verification page to improve password recovery process:
- Revise the page layout and update the prompt text as follows:
- Keep the onscreen text, "We found an existing account based on the information you entered. "
- ADD a line of additional text immediately below it to read: "Please select one of the following options:"
- REMOVE the Security Questions text input fields from the screen and REPLACE WITH the two radial button response options, shown in blue below:
We found an existing account based on the information you entered.
Please select one of the following options:
(radio button) Send me an email link to reset my password.
(radio button) Access my account by answering security questions.
- ADD a "Help" link and "Continue" button below the text and radio buttons options box on the lower right (see screen shot).
- Place the existing "Help" link left of the "Continue" button.
- Place "Continue" button below text/options area with logic to initiate whatever process the user selects (email or security questions).
- Keep all existing CSS styles and Account Verification page attributes, such as the page title (Account Verification), Sign-In button (left side bar), the "Cambiar A Espanol" button, header, and footer, in their current positions;
- Add new Conditions to initiate actions triggered by user response to radio button options:
- If user selects Option #1: "Send me an email link to reset my password", then:
- Send "Password Reset Email" message to user <email> account with secure, time-sensitive, random URL
- Display "Password Reset Email Sent" page with "OK" button to sign out.
- If user selects Option #2: "Access my account by answering security questions." then:
- Roll up text and radio button options below text "We found an existing account based on the information you entered."
- Display Security Questions input fields and "Continue" button to initiate existing field error validations.
- If user selects Option #1: "Send me an email link to reset my password", then:
Breakdown of New Account Verification Page Conditions
Condition | Trigger | Action |
---|---|---|
IF user selects Option 1: "Send me an email link to reset my password" | Clicking on radio button #1 and clicking "Continue" |
|
User clicks on "OK" button on "Password Reset Email Sent" confirmation page | Clicking "OK" on confirmation page |
|
IF user selects Option 2: "Access my account by answering security questions." | Clicking on radio button #2 and clicking "Continue" |
|
User clicks on "Continue" after entering responses to Security Questions | Incorrect answers |
|
User clicks on "Continue" after entering responses to Security Questions | Correct answers |
|
2) Show Security Questions input fields and change layout, text, and button position on the Account Verification page when user selects Option #2:
- If user selects Option #2: "Access my account by answering security questions.", remove text and radio button options (see section identified in Screenshot B below) and display security questions, additional text, buttons and links.
- Change text on button from "Continue" to "Access Account"
- Ensure "Access Account" button and "Help" link are located under the main body of the text and options box in the lower right.
- Maintain "Cambiar A Espanol" in it's current position - upper right above main body of the text and response options.
to this to this
3) Requirements for Option #1: Send "Password Reset Email" message with unique URL link and display "Password Reset Email Sent" confirmation page.
If user selects Option 1: "Send me an email link to reset my password" from the Account Verification page, THEN, initiate the following requirements:
- Send "Password Reset Email" message with unique URL link* to user's <email> address stored in OpenCCC Account.
Use the following text in the body of the email
Hello <firstname>
You recently requested to reset your OpenCCC Account password. Click the link below to reset it.
< randomly generated, unique, time-sensitive, authentication URL link to password reset >For security reasons, this password reset link will expire in 24 hours.
If you did not request a password reset, please ignore this email or contact the CCC Helpdesk to let us know.
For assistance, contact the CCC Helpdesk
Call: 877-247-4836
Email: support@openccc.netEmail Subject line: Your Password Reset Request
- Generate unique "password reset URL link" and merge into "Password Reset Email" message with the following attributes: (Notes from Jeff Holden 6/14/16:)
- Generate a random (unique string at the end of the URL) something that shows authentication of user (one time use pass to give that person the email.)
- URL itself would have to be a random string - built-in logic to cut the process (cut the IP address) to disallow more than 15 attempts if someone is trying to brute force the system, (Per Jeff, brute forcing would take 100,000 attempts, so 10-15 attempts within 60 seconds (store no longer than a minute and discard) is allowable.) Attempt row or db to track who's attempting brute force (we don't want to store this forever).
- Developer would have to create a database table to capture (URL sent, time it was sent and the CCCID that it was sent to) so that the app knows that the URL link is authentic and was sent to that person within time limit against their CCCID).
- URL link will time-out 24 hours after email message is sent to user's <email> address"
- Add logic to expire URL after 24 hours (User will have to retrieve the link, click and follow the link, and choose a new password before the link expires (24 hours after URL is generated and email is sent).
NOTE to Developers: It's very important that the User is redirected back into the same workflow they started from. Patty will work with Parker and Josh to describe the goals and objectives for this feature to get assistance articulating all requirements for the URL attributes. Similar to the proxy process, we want the user to have a user-friendly, effective, account recovery experience from start to finish. After the email link is clicked on from the user's email account, they should be taken right into the Reset Password page and after new password is created and user logs in - they should be signing in to the application they originally intended to get to when they started account recovery.
4) Display "Password Reset Email Sent" confirmation page with the following onscreen text and button links:
- Create and display new page, "Password Reset Email Sent" with the following text and buttons.
- Page header should be: "Password Reset Email Sent"
- The following text should appear in the text box:
A password reset email was sent to <email>
Follow the directions in your email to reset your password.
If you don't find your email, please check your Spam folder. - Add an "OK" button in the lower right below the text box.
- Add the "Help" link on the left, just adjacent to the "OK" button
- Ensure the Cambiar A Espanol button does not appear on the page.
- Link the "Help" link to the existing Help page that currently appears on the Account Recovery, Account Verification, and other pages.
- Enable the "OK" button to sign the user out of active session and display secure sign out page.
NOTE: Very important that the user is returned to the application they were originally trying to get to before account recovery (i.e., if user started process from a BOG application URL, hit Shib and couldn't remember password and initiated account recovery/password reset using email URL link, after new password is created and confirmed, user is returned to Shib Sign In page and upon successful signin will land on the BOG My Appliications page. The URL attribute for the BOG application will be included in the email URL, including their CCCID.
#5) Add UI page for when the reset link expires (after 24 hours).
1) Page would appear if the user clicks the URL after 24 hours
Password Reset Link Expired. (Bigger Font Size)
Your OpenCCC password reset link has expired.
Click "Continue" to return to the Account Verification page to request a new email link.
Screenshots
Account Verification Password Reset Options
PW Reset Option 1 (Answer Security Questions)
PW Reset Email Link Confirmation
PW Reset Email Link Expired