PortalGuard Password Reset - Mobile App

The new PortalGuard Self-service Password Reset mobile app provides end-users a simplified way to securely reset their forgotten password. The user must perform a one-time enrollment by taking a picture of a QR code with the PortalGuard app on their phone and entering a generated code in the browser. When the user wants to reset their forgotten password, they simply need to open the app, enter their choice for a new password and press a single button. The app transparently generates and sends a new Time-based One-Time Passcode (TOTP) to securely prove their identity. The app can serve a dual purpose of generating a TOTP for multi-factor authentication logins through PortalGuard as well.

Additionally, the PortalGuard Password Reset app provides an optional method to generate passwords that a user can more easily remember rather than providing a completely random generated password. It works by asking a series of personal questions during the enrollment phase. The user’s answers are used to construct a familiar user password.

Requirements

  • Apple iPhone/iPad running iOS 5.0 or later
  • Android device version 4.1 or later
  • Install the PortalGuard Password Reset app from the Apple App Store or Google Play store
  • PortalGuard server version 4.3.1.1 or later
  • Microsoft .NET version 3.5 or later must be installed on the PortalGuard server
  • Enrollment in the app must be performed by end users – it cannot be batch imported by administrators
  • Only a single phone can be enrolled at a time per user
  • The PortalGuard server must be reachable on the network from the user’s phone. If end-users must be able to use it on the internet, then the PortalGuard server must be accessed using a publicly addressable name and be deployed in a DMZ or behind a reverse proxy that allows anonymous users to reach it.

Configuration Requirements

  • The user must access the PortalGuard web server through a browser to complete enrollment
  • In the PortalGuard security policy, the authentication type for Password Reset cannot be configured for multi-factor authentication (Challenge Answers -AND- OTP). The app is only able to automatically send an OTP so the requirement to answer challenge questions when multi-factor Password Reset is enabled cannot be met. See the settings in the next section for full details about the required configuration of the PortalGuard security policy.

Administrator Configuration Steps

Install Microsoft .NET version 3.5 on the PortalGuard server (link). PortalGuard’s base functionality can run on .NET version 2.0, but 3.5 is required to dynamically generate QR codes.

Launch the PortalGuard Configuration Editor and click the Edit Bootstrap button.

On the Policies tab, click the Generate CA button in the “PortalGuard Certificate Authority” section. If this button is disabled or greyed out (see screenshot below), then it simply means you have already generated the CA and can skip to step 5 below.

Click OK to close the “Successfully generated Root CA” dialog, then click the “Save” button to commit the change and update the bootstrap settings.

Still in the Configuration Editor, open the “Security Policies” tab and double click on the policy for which you would like to enable the mobile app.

Under the Auth Methods -> Mobile tab, ensure the “Allow Mobile Authenticator Generated OTPs” box is checked.

In the Actions -> PW Reset sub-tab, set the “Requires” drop-down box to Any enabled authentication type as per the Configuration Requirement noted above. Also check the “Mobile Authenticator” box in the “Accepted OTP Methods” section. This allows use of both the PortalGuard app and Google Authenticator.

Save the changes to the PortalGuard security policy and apply all changes.

.

End-User Installation & Enrollment Steps

The following steps outline what an end-user must do to install, enroll and use the PortalGuard Password Reset app.

  1. Download the PortalGuard Password Reset mobile app by accessing the appropriate app store (e.g. Apple App Store or Google Play store) on a mobile device.
  1. Search for PortalGuard Password Reset to find and install the app.
  1. Access the root of your local PortalGuard server using a workstation’s web browser, e.g.:

http[s]://YOUR.PORTALGUARD.SERVER

NOTE: You must take a picture of a QR code using your mobile device’s camera, so do NOT access the URL above using a browser on your mobile device!

  1. Enter your username and password to login.
  1. Once logged in, click the Multi-Factor Settings & Devices tab. Then click the Enable Mobile Authenticator link under the Mobile Authenticator section.

NOTE: There may be other sections above it based on enabled features in PortalGuard.

  1. Choose your phone type and click Continue. A QR Code will pop onto the screen.

  1. Using the app, press the Enroll button. A QR Code scanner will appear with which you can scan the QR code on the screen.

  1. When successfully scanned, you should see an OTP code at the top of the app. Enter the code in the web browser containing the QR code before it times out and click the Continue button to finish enrollment. Another code will be automatically generated if the initial one expires.

  1. The browser should show a confirmation message that the mobile app has been successfully enabled. At this point you have the option to enroll answers into the app to enable a personalized password to be generated. If you are interested in this feature press Enroll Answers, answer all 10 questions then press Done. In either case, press the Continue button to complete the enrollment.

End-User Usage Steps

The last screen is where you can actually reset your password. After enrollment, the app will only show this screen. Type your new password into the password field or press the Personalized Password button if you opted to answer the challenge questions. With a new password in the field, simply press Reset Password to update your account. If the password is not sufficiently complex, then you will receive notification of what rules still need to be addressed.

NOTE: An OTP is always displayed at the bottom of this screen in case one is needed for your account.

The last feature of this app is the “Clear Enrollment” button. Hitting the button will confirm if you want to clear your enrollment data from the phone. If you clear the enrollment, everything on the phone including username, shared secret (from the QR code) and any answers to the challenge questions will be erased.

Troubleshooting

The app sends HTTP traffic directly to the PortalGuard server to reset passwords. Since new passwords are traveling from the phone to the PortalGuard webserver, it is strongly recommended users use HTTPS/SSL when connecting to the PortalGuard server.

Due to security best practices, the iPhone will refuse to establish a HTTPS/SSL connection to web servers that use a self-signed certificate. In production, the PortalGuard server must be configured to use a SSL certificate from a trusted root Certificate Authority (e.g. Verisign, Digicert). If an end-user attempts to use the Password Reset app with a PortalGuard server using a self-signed certificate, they will see the following error:

The “PortalGuard server is using an untrusted/self-signed SSL certificate” error prevents the password reset from occurring. The workarounds for this during internal testing include:

Performing the enrollment when accessing the PortalGuard server with a non-SSL connection. The Password Reset app communicates with PortalGuard using the same server name & protocol in the URL used during enrollment. NOTE: This will cause the app to send new passwords to the PortalGuard server in clear-text.

&l>2) Trust/import the self-signed certificate using the instructions found here:

HttpWatch: Five Tips for Using Self Signed SSL Certificates with iOS

This will allow you to use SSL even with a self-signed certificate.