UPDATED - Blackbaud Internet Solutions Service Pack 31 Password Security Update Preview And Actions
In Service Pack 29 we improved the Password Reset experience for users by implementing a self-service password reset capability accessible from the User Login and Change User ID/Password parts. Web site users are no longer redirected to the Login.aspx screen for reset process and the experience remains consistent.
We made the User Account linked email address mandatory in order to operate as the recipient address for user account email changes and Multifactor Authentication security codes.
In Phase II - delivered as part of Service Pack 31, we are further enhancing and securing how user and passwords are managed by Administrators of the client sites.
In upcoming Service Pack 31 we have further secured how passwords are handled by providing an action button for User Administrators to send a Password Reset Link email rather than creating/maintaining passwords for users manually.
In order to support this change, we have implemented a conditional merge field section on the User Login part that will only be used when a user is added by an Administrator. This means that the same part can be used when a User Administrator sends the Password Reset Link email as well as when users that reset their password via the site. For backwards compatibility for user self-service the original Password Reset Link is retained.
The User Login part used to send the Password Reset Email will be determined by the page configured for each Site in Administration>Sites & Settings> Registration and login options, otherwise the Default Site configuration is used.
Additionally, where a user has attempted to log in via Login.aspx, they too will be presented with the ability to self-service their password reset by entering their account linked email address to which a Password Reset email will be sent.
Previously we stated updates were being included for the RecordNewUserHandler. This is no longer the case and no changes impacting the use of the this handler will be included in Service Pack 31.
This means that clients using Single Sign-on (SSO) will not experience any change in workflow.
As a result of these upcoming changes, you will need to undertake some actions
- Ensure you have at least one internal Blackbaud Internet Solutions user that has an email address associated with their account.
- On release, update your User Login part New User Registration Email templates to include the new conditional User Administration User Password Reset Link merge field and the conditional Self Registration Password Reset merge field to allow for multi-use. At a minimum update the template used by the Default Site.
- Ensure that your User Login parts Password Reset Email templates have the Password reset links present.