What is it about?

This initiative is to secure the password reset flow in various Rialto components for Carrier.

In the current Rialto portal experiences, a forgot password link is available at login, which, when selected, allows anyone to reset the password for any account for a user account. As a result, a potential attacker can continuously reset a user's password, forcing the affected user to re-authenticate with temporary credentials.

To address this issue, the portal's experience will lockout password reset requests for a period of time after an initial request. Upon initiating a valid password reset, the system will provide a one-time token to the user, which, upon selecting a password reset link embedded in the password reset email, will prompt the user to reset his or her password. This change will be applied to Rialto Market, CAP and CUP.

Note: This is phase 1 of the of password Reset enhancement flow, where the new branding email template for the password reset link has been released and published for the partners who may like to brand the content, before the full feature comes into play with the next release.

Benefit?

Prevent potential security threats, which could impact service availability.

Click image for large view