4.16 Password Invalidator Authentication
Introduction
The Password Invalidator is a feature in ZTrust that helps keep user accounts secure. It automatically forces users to change their login passwords after a predefined time period. This ensures that weak, old, or compromised passwords are regularly updated, keeping your organization's data safe.
Why Use Password Invalidator? (Use Cases)
Admin defines a password validity period (e.g., 30 days, 45 days, 60 days).
When the period ends, the Password Invalidator forces the user to reset their password on the next login.
Set up warning emails to notify users before their password expires, so they can be aware and update their password on time.
Enhanced Security
The system makes you change your password regularly so that old or weak passwords don’t put your account at risk.
Compliance with Company Policies
Some organizations require you to change your password after a certain time.
This feature automatically enforces those rules.
Reduce Unauthorized Access Risks
If someone manages to steal your password, they can’t use it for long because it will expire after the set time.
Warning Notifications
You’ll receive notifications before your password expires, so you have time to update it without being locked out.
Step 1 – Login to ZTrust Admin Console
Open your ZTrust Admin Console in your browser.
Sign in with your admin credentials.
Step 2 – Enable Password Invalidator in Events
Navigate to Realm Settings → Events.
In the Event Listener dropdown, select
password-invalidation.
Step 3 – Configure the Scheduler & Notifications
Go to Realm Settings → Authentication.
Go to Policies Tab → Password Policy
In Password Invalidator execution: Click on Add policy and define the required policy
Set the password expiry duration (e.g., 30 days, 45 days).
Set the Minimum length, Maximum length, Special characters, Digit, Uppercase and Lowercase and the policy to secured their password.
Step 4 – Create a Custom Authentication Flow
Go to Realm Settings → Authentication.
Click on the Flows tab.
Create a duplicate in browser flow → Name "password invalidator notification" an click on Duplicate
Click on Add execution and find Password Invalidator from the execution
Add the Password Invalidator execution step.
Mark it as Required.
Step 5 – Configure the Scheduler & Notifications
Here admin need to set up the following fields:
Alias → A unique name for this configuration.
Authenticator Reference → Optional reference name if needed.
Authenticator Reference Max Age → Maximum validity period for the authenticator.
Configure Scheduler → Turn ON/OFF to start and stop the Password Invalidator Notification.
Notification Before Password Expiry → Select the days before password expiry to send a notification.
Duration to send notification → Select the Time format for sending Notifications.
Once the policy is configured, click on Save. The system will then start checking password expiry for all existing users.
Step 6 - Bind the flow to work in Browser flow
After setting up the password invalidator flow, bind it to the Browser flow.
This ensures that the system will check password expiry whenever users log in through the browser.
Example Scenarios:
Scenario 1: Corporate Security Policy
Requirement: Change passwords every 60 days.
Solution: Configure Password Invalidator for 60 days and enable 7-day warnings.
Scenario 2: High-Security Applications
Requirement: Enforce strict password rules.
Solution:
Set expiry to 30 days.
Require 12-character passwords.
Enforce password history to avoid reuse.
Scenario 3: User Experience Optimization
Requirement: Notify users early to reduce login issues.
Solution: Enable email reminders 10 days before expiry.
Last updated