I need some clarification on the following SSPR documentation sections:

http://tinyurl.com/mrttnwz

4.2.2 Selecting a Forgotten Password Action

You can configure SSPR to select an action to take when the user
completes the forgotten password process.

SSPR provides the following options:

*Allow user to reset password*: After answering challenge questions
to prove their identity, users can change to a new password. Because the
user has authenticated through answering the challenge questions, the
user can change the password without being required to provide the
current password. To use this option, you must require a challenge set
and the user must have set up challenge-response by answering the
challenge questions.

*Email new password to user*: After answering challenge questions,
the user receives the new password in an email. To enable this option,
configure SMTP email server.

For more information about how to configure email settings, see
Section 3.10, Configuring Email Notification Settings.

*SMS new password to user*: After answering challenge questions, the
user receives the new password through an SMS.

For more information about how to configure email settings, see
Section 3.11, Configuring SMS Notification Settings.

* Email and SMS new password to user*: After answering challenge
questions, the user receives both an email and an SMS containing the new
password.

According to the documentation above:
When Email new password to user option is selected:
After answering challenge questions, the user receives the new password
in an email.

*Question*:
Does the user get to enter the new password after answering the
challenge questions and an email is send out containing the new
password?
Or
Is it a temporary password that SSPR generate and an email is send out
containing the temp generated password? And the user is required to
change it after log-in in with this temporary password?

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

4.2.3 Configuring Send Methods for Tokens

You can configure a method for sending token code or new password to the
user. The available methods include:

None - SSPR does not perform token verification

Email Only - SSPR sends token to email address

SMS Only - SSPR sends token through SMS

Both - SSPR sends token to both email address and SMS

Email First - SSPR tries to send token through email; if no email
address is available, sends through SMS

SMS First - SSPR tries to send token through SMS; if no SMS number
is available, sends through email


Questions:
What does it mean by "You can configure a method for sending token code
or new password to the user" in this section?
What does the "new password" means in this section? A randomized
password? or a password token?
During forgotten password recovery, can the user don't answer the
challenge questions? instead, an OTP is send to the user, the user will
enter the OTP on the screen and then he is allow to change the
password.

Many thanks


--
mochacoffee
------------------------------------------------------------------------
mochacoffee's Profile: https://forums.netiq.com/member.php?userid=6175
View this thread: https://forums.netiq.com/showthread.php?t=49572