4.17 Password Invalidator Authentication

Introduction

The Password Invalidator is a feature in ZTrust that helps keep user accounts secure. It automatically forces users to change their login passwords after a predefined time period. This ensures that weak, old, or compromised passwords are regularly updated, keeping your organization's data safe.

Why Use Password Invalidator? (Use Cases)

Admin defines a password validity period (e.g., 30 days, 45 days, 60 days).
When the period ends, the Password Invalidator forces the user to reset their password on the next login.
Set up warning emails to notify users before their password expires, so they can be aware and update their password on time.

Enhanced Security
- The system makes you change your password regularly so that old or weak passwords don’t put your account at risk.
Compliance with Company Policies
- Some organizations require you to change your password after a certain time.
- This feature automatically enforces those rules.
Reduce Unauthorized Access Risks
- If someone manages to steal your password, they can’t use it for long because it will expire after the set time.
Warning Notifications
- You’ll receive notifications before your password expires, so you have time to update it without being locked out.

Step 1 – Login to ZTrust Admin Console

Open your ZTrust Admin Console in your browser.
Sign in with your admin credentials.

Step 2 – Enable Password Invalidator in Events

Navigate to Realm Settings → Events.
In the Event Listener dropdown, select password-invalidation.

Step 3 – Configure the Scheduler & Notifications

Go to Realm Settings → Authentication.
Go to Policies Tab → Password Policy

In Password Invalidator execution: Click on Add policy and define the required policy
Set the password expiry duration (e.g., 30 days, 45 days).
Set the Minimum length, Maximum length, Special characters, Digit, Uppercase and Lowercase and the policy to secured their password.

Step 4 – Create a Custom Authentication Flow

Go to Realm Settings → Authentication.
Click on the Flows tab.

Create a duplicate in browser flow → Name "password invalidator notification" an click on Duplicate

Click on Add execution and find Password Invalidator from the execution

Add the Password Invalidator execution step.
Mark it as Required.

Step 5 – Configure the Scheduler & Notifications

Here admin need to set up the following fields:

Alias → A unique name for this configuration.
Authenticator Reference → Optional reference name if needed.
Authenticator Reference Max Age → Maximum validity period for the authenticator.
Configure Scheduler → Turn ON/OFF to start and stop the Password Invalidator Notification.
Notification Before Password Expiry → Select the days before password expiry to send a notification.
Duration to send notification → Select the Time format for sending Notifications.

Once the policy is configured, click on Save. The system will then start checking password expiry for all existing users.

Step 6 - Bind the flow to work in Browser flow

After setting up the password invalidator flow, bind it to the Browser flow.
This ensures that the system will check password expiry whenever users log in through the browser.

Example Scenarios:

Scenario 1: Corporate Security Policy
- Requirement: Change passwords every 60 days.
- Solution: Configure Password Invalidator for 60 days and enable 7-day warnings.
Scenario 2: High-Security Applications
- Requirement: Enforce strict password rules.
- Solution:
  - Set expiry to 30 days.
  - Require 12-character passwords.
  - Enforce password history to avoid reuse.
Scenario 3: User Experience Optimization
- Requirement: Notify users early to reduce login issues.
- Solution: Enable email reminders 10 days before expiry.

Previous4.16 Setup Session Invalidator feature Next4.18 Setup GDPR Compliant feature

Last updated 4 months ago