Solved

How can we monitor the Token requests send out via Indicium (Forgot Password & 2FA) ?

  • 19 February 2021
  • 4 replies
  • 98 views

Userlevel 3
Badge +12

As title says, How can we monitor the Token Requests send out to users via Indicium for the Forgot Password, the 2 Factor Authentication or any other place we send tokens out?

We have users that complain they have not received the token when on either of the 2 pages in question. Indeed we do have an email send out in SendGrid but since I cannot see the content I can only speculate.

Is there a table that tracks the Token requests, Timeouts, Requested User, Request Date Time, Send date time, Expiration of request, Expiration of Token?

Any information would be very helpful to track if there are missing tokens not send, or it is due to user not using the token quick enough, timeout issue, so that we can increase it.

icon

Best answer by Vincent Doppenberg 19 February 2021, 15:14

View original

4 replies

Userlevel 6
Badge +4

Hello mperrot,

IAM has a Two-factor log screen where at least the sent two factor tokens should be logged. I noticed that Indicium did not write entries to this log yet whenever a two factor token was sent, but this has been corrected for the upcoming 2021.1.16 release, which will be available at the start of next week.

 

IAM does not have a log for password reset and totp reset tokens, but for now we have decided that we will log password reset and totp reset tokens in the same way as two-factor tokens. This means that as of 2021.1.16, these sent tokens will also be shown in the Two-factor log, but they will be shown like this:

 

In the future we will make the Two-factor log screen more generic, allowing you to distinguish between two-factor tokens, password reset tokens and totp reset tokens.

Please check the Two-factor log screen to see if this meets your requirements. If not, you can leave suggestions here, or better yet, create an Idea for them.

I hope this helps

Userlevel 3
Badge +12

Hi Vincent,

I have upgraded the Indicium 2021.1.16 and Universal 2021.1.13.1 and indeed the Two-factor log contains the entries now.

However I was also looking for the timeout of the token for how long it is valid for, and if we can extend/ set it either on a user group level or per user itself. Is that possible ?

thanks

Userlevel 6
Badge +4

Hello mperrot,

Password reset tokens and 2FA tokens that are sent by email are valid for roughly 9 minutes. 2FA tokens that use TOTP are valid for roughly 90 seconds.

Indicium uses the ASP.NET Core Identity framework for user management and authentication and these values are determined by Microsoft and hardcoded into the token providers that are used by default (by email, by totp). As it is, these are not configurable for us and we feel that it would be unwise to deviate from these token providers. In general it's not a very good idea to increase the lifetime of these tokens by a lot for security reasons.

Is there a specific problem you are running into regarding the lifetime of the tokens?

Userlevel 3
Badge +12

Hi Vincent,

Thank you for the reply I will take note of the validity duration for each instance. I think am covered from your reply.

The issue we are running into is Users complain they do not get the Token when resetting password, and by the above in place we can audit the complain in regards to a request and the validity of the same.

Thanks

Reply