This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Expected behavior for password reset

alexgrutza
Contributor III

‎04-22-2024 07:28 AM

Is this expected behavior for a user to experience when resetting their password?

We have an OU for users who authenticate and use MFA via Google (alumni primarily). This OU allows users to recover their accounts and reset their passwords via Google.

We have our active users (staff/students/faculty) access Google via our SSO platform.

A user in this "alumni" OU, is not able to reset their password. Here's what happens as I just tested:

  1. Go to gmail.com
  2. Click Forgot password
  3. Enter the users org email
  4. Google asks for first and last name, I enter it
  5. It then says it will send a verification code to the users email (ie. the org email)

The issue is, the user doesn't have access to it because they don't have the password, and the user can't reset the password because it sends a verification code to the same email they're trying to log into..

MFA is enforced for this "alumni" OU, but this person is in a temporary MFA bypass group so that they can log in and set up MFA.. Issue is as stated, they can't get in because they can't reset their password because Google sends a verification code to their Org email, which they don't have access to, which they can't... 

Is this expected behavior?

--
CISSP | LinkedIn | @Phyxiis
Topics:
0 Kudos
Reply
4 REPLIES 4

Kim_Nilsson
Admin Moderator

‎04-22-2024 09:40 AM

The recovery method should be either another email address or a phone number.

IIRC, you should be able to both see and edit both.

We don't allow password recovery, but, then again, we also don't have/allow alumni accounts.

--
https://wheretofind.me/@NoSubstitute
Reply

alexgrutza
Contributor III
In response to Kim_Nilsson

‎04-22-2024 09:44 AM

So the user does not have a recovery email set up in their account. They do have a number but am unsure if they received an SMS about resetting their password. I was able to manually (from Admin) reset and send them the reset password email. 

Just found it weird that Google would send the reset email to their Org email (I understand, where else would they send the email if no recovery was on file) if the user initiated it on the login page themselves. 

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

YERKO
Contributor

‎04-22-2024 11:11 AM

Según entiendo y asumo:

Al momento de crear cuentas para usuarios de forma masiva, cuando no se llenan todos los campos importantes los espacios quedan sin información. Quizas eso ocurrió con el usuario en cuestión y probablemente con varios más, de ahí la importancia de educar a los usuarios de nuestras cuentas educativas, junto con señalar o entregar su cuenta de usuario y contraseña (de preferencia temporal y cambiable la primera vez que inicia seción), enseñarles que deben completar su información personal agregando un correo particular (para recuperación de contraseñas) y su numero celular.

Saludos

Captura de Pantalla 2024-04-22 a la(s) 14.04.26.png

0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to YERKO

‎04-22-2024 12:08 PM

I am of the complete opposite opinion. Especially for education users, they should never fill in personal or private information in their accounts. Password recovery should be disabled, and require communication with the nearest admin, who can help with password reset.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines