This is a work in progress. Analysis, requirements and documentation are not complete.
Problem Statement or Business Need
Account Recovery is the number one issue being supported by the CCC Helpdesk. The percentage of support calls received by the Helpdesk, based on submitted applications, for all issues has held steady at approximately .049%, with the percentage of those calls pertaining to Account Recovery is roughly since the Standard application was released in 2012. The number of calls from student asking for assistance with Account Recovery has risen since June 2015 (the cause of this phenomenon is still bein determined). Therefore, our current password recovery process is no longer viable.
Phase II: Add a third option - send an SMS text message with a temporary password. Problem: The Helpdesk has to ask which "carrier" the user uses to text a temp password and this is problematic. Research is needed to better understand how best to develop this option.
Proposed Solution
Redesign the Account Recovery / Reset Password functionality in two phases:
Phase I; Redesign Account Recovery page to inlude two options: 1) Request email with link to recover password: and 2) maintain our exisint security questions option (using same sequence as we use currently).
Phase iI: Add an addtiiona option to send user an SMS Text message with a temporary password - whcich would be reset once they enter Password reset page.
User Stories
Phase I: As a student user, I want an alternative option to reset my Account password in addition to the existing security questions optoin. I want tto be able to request an email with a link in it to recovery my password. The email should be simple, clean with minimal wordsThe email should have a link in it that takes me to the existing Password Reset pageAdd email llink option to the exisint account recovery page
As a student user, I want to be able to reset my password via an email link that would take me directly to the Password Reset page. I would have a limited amount of time from the moment I click, "Send me a password reset email" to receive my email and reset my password. I would want an email confirmation that the link was sent to me and a confrmation emailthat my password has been reset.
Research & Security Issues
Research is needed around security measures for receiving the email and for receving the confirmation email.
The development of this new password reset process would have to use the same pathways and there should no NO NEW CODE created for this process.
For security reasons, the time limit should be placed on the action from the time the email link is clicked / requested in Account Recovery should be no more than 2 hours (it's bee discussed no less than 24 hours - TBD).
Requirements Summary
| # | Requirements | Notes | |
|---|---|---|---|
| 1 | All functionality around this new process should reuse/keep as much existing code and pages (UI) as possible. Enhance what we already have in place. |
| |
| 2 | A revised Account Recovery page needs to be designed to give the user two options: 1) Send an email with a secure link to reset Password on the Password Reset page. | ||
| The revised account recovery function should be avaialble whereever there's an "I forgot my password" URL in the current system; | |||
| The Accont Verification page needs to be redesigned to include both options: 1) Send me an email link and 2) enter security questions | |||
| There should be a number of attempts allows for the security questions; if after 5 attempts the security questions cannot be answered, offer the link to the email recover optoin | |||
| A new email message should be created that includes the email link. The text/message should be very short and concise. | |||
| A new page will be created that includes the two options: 1) send an email with link; and 2) answer security questoins | |||
| A second new page would be created with a message stating tha the email has been sent and to check users Inbox for the link. INclude message that there is a 24 hour time limit to obtain the link and activate the password reset. | |||
| All language on all pages and across all emailsl should be simple, clean, concise | |||
| A new Reset Password Page needs to be created that provides a new password data field and a confirmation password data field. Theh page should include brief text that reiterates the requiements for the password "7 - 10" letters and numbers and no specific characters" If possible add in a "Strength of password" function box and sould be titled Reset password. Enter Your New Password". | |||
| A new Confirmation page shoudl be created stating that the password has been created and it should be written down and kept in a safe place. | |||
| What about Username recovey? 7/18/16: Not revising UN recovery at this time. | |||
| How many attempts should we allow the security questions to fail before offering the email options | |||
| Should we ask them to confirm their email before continuing with the email recovery process? | |||
Research requirements:
1) Establish security standards around the entire process.
Existing Screenshots
Sample Screenshots
Change Specifications
Top
Changes to Data Download File
Changes to Logic
Top
Supporting Documentation
Below is additional documentation (i.e., CCCCO legal opinions, residency and/or education code citations, legislation citations, supplemental information, etc.) to be referenced in support of this change request.
| Description | File or Link |
|---|---|