To Establish Login Recovery for an Account Policy
Configuring Login Recovery as an alternative to the security questions-based login implements a message obfuscation option that renders the same generic result message for all errors and successes. This method helps prevent account harvesting.
Note –
The obfuscate messages option is enabled by default in the loginRecovery.jsp file. You can set this same option in the lookupUserId.jsp files.
Functionally, Login Recovery uses the same system as the Forgot Your User ID? method and both methods share the same configuration attributes. The main difference between these two methods is that Login Recovery also resets the user's password and then emails both the login and the password to the user's email address.
You can replace the security questions-based log-in method with the Login Recovery method by redirecting the Forgot Your Password? button or by creating a new Login Recovery button on the Log In pages. You configure either option in the System Configuration file, as follows:
-
To redirect Forgot Password to Login Recovery, specify
ui.web.user.questionLogin.forceLoginRecovery = true ui.web.admin.questionLogin.forceLoginRecovery = true
-
To use a Login Recovery button instead of Forgot Password/Lookup, specify
ui.web.user.disableLoginRecovery = false ui.web.admin.disableLoginRecovery = false ui.web.user.disableForgotPassword = true ui.web.admin.disableForgotPassword = true ui.web.user.disableForgotUserId = true ui.web.admin.disableForgotUserId = true
- © 2010, Oracle Corporation and/or its affiliates