Support password expiration

[techyian]

Hey,

Any news on this one guys? Would be a great feature to include.

[HaoK]

@blowdart thoughts?

[blowdart]

Yea, we ought to, it'll need template support as well, so, 1.2?

[HaoK]

@blowdart @divega what kind of password expiration do we want to support. Cheapest would be just adding a UserManager API to force expire passwords, and a new method to query for expired passwords.

Or we could go for something more involved like automatic password expiration policies, involving last password change dates etc. If we are going to be updating the schema with things like CreatedDate/LastSignInDate, LastPasswordChangeDate isn't the worst to add at this time either.

[christophermllr]

FWIW, a client of mine required this feature and I ended up extending the data model exactly as you mentioned in your second recommendation above.

[HaoK]

@blowdart @divega should we continue to add optional interfaces to add these features in a non breaking way, or can we update our existing interfaces to require this functionality in stores for 2.0?

[HaoK]

This boils down to if we are going to add IUserLastPasswordChangeStore vs adding the methods to IUserPasswordStore, and similarly for CreatedDate/SignInDate with new stores or updating any existing interface

[blowdart]

Non breaking. Probably need some other infrastructure too, like password history.

[brockallen]

Good thing your password validator accepts the user as a param and not just the password :P

[blowdart]

See, we planned ahead. Genius!

[VitaliiVlasovDevPro]

Hi! Is there any news about this feature?

[HaoK]

This is unlikely to be coming in 2.1 since this requires scheme changes to implement

[gamerwalt]

Password expiration is mostly a custom thing. I'm doing one right now and it's pretty easy. Override the functions that save and sign in user and check if password is expired, if it is, just return with a bad identity result.

Adewoyin Olawale Bañez Winnipeg, Manitoba, Canada

gamerwalt@gmail.com gamerwalt@hotmail.com

On Thu, Dec 28, 2017 at 12:49 PM, Hao Kung notifications@github.com wrote:

This is unlikely to be coming in 2.1 since this requires scheme changes to implement

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/aspnet/Identity/issues/99#issuecomment-354335767, or mute the thread https://github.com/notifications/unsubscribe-auth/AEWDIlwj75xOt_ZbfvVRAhSASmqGXwVvks5tE-KegaJpZM4B_EGG .

[HaoK]

@blowdart punt to backlog or 2.2?

[HaoK]

Requires more schema changes

[HaoK]

If we ever add this feature, we should probably support using it as part of the default UI as well.

[blowdart]

2.2

[TechSavvySam]

I had to extend the code to support password force change so IMO this would be a great one to add. The logic to support force password change is fairly simple. Certainly the complexity comes in when you want to add tunable expiration logic and password history (which could be added later).

I'm actually using external logic in a scheduled task to figure out when to expire users' passwords. My current iteration of expiring passwords is because we made the password rules more complex and wanted to force all users to update to the more complex passwords

[cleftheris]

It seems to me this is quite handy and especially regarding the Dates involved (LastSigninDate etc.) there is no easy way to implement this as a consumer of the library without overriding everything from the UserManager, SigninManager, UserStore, CustomApplcationUser

Could this potentially be done in two phases so we can build on top. First part could be included into 2.2 and have only containing the changes around IUserActivityStore<TUser>.

[harishakim]

Hi,Everybody please give more details about password expired date

[jmatheti]

PCI demands users to update the password and also its a best practice being enforced in most of the enterprise systems. Regardless of the business requirement, I guess this is most wanted feature for an identity framework.

Any update please?

Does not want to duplicate code. ( which I already have two-factor implemented prior release).

I did a quick implementation i.e. UserManager - CreateAsync to add PasswordExpiryEnabled and PasswordEnd as per the configuration to AspNetUser. Then on login signInManager.CheckPasswordSignInAsync following a conditional check before signInManager.SignInAsync.

This seems to work however its good to have this included in the framework.

[jmatheti]

There is another problem with the above approach mentioned to handle password expiration. The problem is we can not have two-factor authentication. Because when we do a check on the VerifyCode page using the below , user always returns null.

var user = await signInManager.GetTwoFactorAuthenticationUserAsync(); Thats because the user signin but not for twofactor signin. The method unfortunately private, and can't think of any work around.
private async Task<SignInResult> SignInOrTwoFactorAsync(TUser user, bool isPersistent, string loginProvider = null, bool bypassTwoFactor = false)

So I guess we need the framework to have this functionality built in.

[jmatheti]

in the interim as a work around, I'm using the below (it seems to work for now)

  //handle two-factor authentication
                    if (user.TwoFactorEnabled )
                    {
                        await signInManager.PasswordSignInAsync(user, model.NewPassword, model.IsPersistent, true);
                        return await TwoFactorAuthenticationHandler(user, model.IsPersistent, model.ReturnUrl);
                    }
                    else {

                        await signInManager.SignInAsync(user, model.IsPersistent);
                        await appUserService.ManagePasswordExpiryAsync(user);                     

                        return RedirectToLocal(model.ReturnUrl);
                    }`

[valeriob]

Hi @blowdart ! Is there something in 3.0 preview already ?

[blowdart]

No, other things took precedence, and identity gets no extra features for 3.0, hence it going to backlog for now.

[fabich]

PCI demands users to update the password and also its a best practice being enforced in most of the enterprise systems. Regardless of the business requirement, I guess this is most wanted feature for an identity framework.

Any update please?

@Janidbest there are more and more security papers and best-practice recommendations to no longer enforce password expiration. e.g. https://www.sans.org/security-awareness-training/blog/time-password-expiration-die or directly from Microsoft: https://www.microsoft.com/en-us/research/publication/password-guidance

[stenionobres]

Hi! Is there any news about this feature?

[Xyncgas]

as the last issue currently standing in the repository, I press F for condolences

[Xyncgas]

IMO, this feature can be implemented by an intern taking minimum wage at a high school relationship tech company, under 30 min

[Jack-S-Jenkins]

+1! The feature would be nice for those who need a quick way to expire a user password after having an admin manually reset it to "Password" or some other simple one. At least it will be some modicum of security for low-level non-critical apps.