Forefront Identity Manager - Credential Management, Part 2

FIM ships with three Authentication Activities (a.k.a. Authentication Gates) that are used primarily in Self-Service Password Reset (SSPR).

Question and Answer Gate
This is the most obviously one in SSPR. During registration mode, it prompts the user with a list of pre-defined questions (e.g. What's your first pet's name?) The user is required to answer a subset of the questions. The answers are hashed and stored in the FIM database. During authentication mode, it display the questions that the user has registered for and the user is required to answer them correctly to pass this gate.

Configurable settings includes

  • Total number of questions: n
    System admin can pre-defined n questions in this gate.

  • Number of questions displayed during registration: p
    Only p out of n questions are displayed randomly to users during registration.

  • Number of questions required for registration: q
    Users must register at least q out of p questions during registration.

  • Number of questions randomly presented to the user: r

    Please bare with me unclear wording. It means r out of the q questions that the user registered with will be presented during authentication.

  • Number of questions that must be answered correctly: s

    Users must answer s out of r questions correctly to pass this gate.

And obviously, n > p > q > r > s

Password Gate
The most common question I have been asked is that, "I try to reset my password because I have forgotten it. Now you are going to ask for my password?" This is not how the password gate works. Password Gate asks for your password during registration only. For example, if you go to bathroom and forget to lock your computer, you probably don't want someone else to register on your behave and reset your password immediately. It allows FIM to make sure it is you that are registering for password reset.

Lockout Gate
The lockout gate is used to prevent malicious hackers from doing a brute force attack. This gate does not display anything to the user during registration or authentication.

It is best using the example below to explain how it works

  • Lockout duration after Lockout Threshold is reached (minutes): 15
  • Lockout Threshold - number of times the user can fail to complete the workflow: 3
  • Number of times the user can reach the Lockout Threshold before permanently lockout: 2

The net effect will be as follow:

  • Failed attempt 1 
  • Failed attempt 2
  • Failed attempt 3
  • Now the user is temporarily locked out and can only try again after 15 minutes
  • Failed attempt 4
  • Failed attempt 5
  • Failed attempt 6
  • Now the user is permanently locked out.

At any point of time, if the user successfully passes the entire authentication workflow or re-register, the counters are reset to 0 and unlocked automatically.

Please note that lockout mechanism is FIM specific. It has nothing to do with the "User Lockout" in Active Directory.