Overview:
- With Domino 12.0.x, we can enable TOTP multi-factor authentication. Once configured it can pull passwords from the ID Vault and the HTTP Password field in the Person doc.
With this configuration, it is possible for an old Notes ID password to be available along with the actual current Notes/HTTP password. This can be a security concern.
Configuration Settings:
The password behavior is controlled by a Policy Settings document:
Admin client --> People & Groups (left tab) --> Domino Directories (twistie) Company's Directory (twistie) --> Settings (view) --> Security Settings (main window category twistie) --> Open the Security Settings document -->
- Password Management Options (heading)
...
Update Internet Password When Notes Client Password Changes Yes
- ID Vault (tab) --> OTP-based ID Downloads (heading)
Allow TOTP authentication with the ID vault: Yes
Allow password authentication with the ID vault: Yes
For the field, Update Internet Password When Notes Client Password Changes: Yes
The Internet Password is updated by AdminP shortly after the Notes client password is changed with this policy enforced. The Vault ID password is NOT updated.
For the fields under the OTP-based ID Downloads heading,
This allows the internet tasks, HTTP, IMAP, POP3, etc authentication to switch from the Person doc HTTP password field to use the ID Vault IDs first, and then the person document.
(Thanks to Mark D. at HCL for this information.)
Implications:
We also found that the Security dialog Notes ID Change Password dialog being used does not automatically upload the new ID into the ID Vault unless the person, after changing the password, also clicks the Sync ID Vault button under the Change Password button.
It is important to have the policy to update HTTP passwords with Notes ID password changes, and to make sure folks are trained to change the password and then also sync their ID.
previous page
|