Cerberus FTP Server 12.7 now supports “Forgot your password?” password reset for accounts with Two Factor Authentication (2FA) enabled.
Prior to 12.7, accounts with 2FA enabled were simply not allowed to use the “forgotten password” reset.
Following requests from customers, we carefully reviewed the security of our 2FA and password reset features, and concluded we could safely allow 2FA-enabled users to utilize password reset.
With a goal to reduce IT overhead on user maintenance, this change speaks to the concerns of our customers, greatly easing administrative burden while remaining secure and consistent with industry best practices.
How Password Reset Works With 2FA
Let’s walk through the complete password reset workflow for a user. It may also be helpful to review our support documents detailing how to set up 2FA in Cerberus FTP Server.
The “Forgot your password?” link appears on the login page when the HTTP/S listener has Allow Password Reset Requests enabled:
Cerberus FTP Server considers the user’s identity proven when they…
- Provide the account’s username, first name, and last name
- Prove they have access to the account’s email address
Cerberus generates a cryptographically secure random link and sends it to the email address associated with the given account. The user must receive this email and click the contained link.
- Provide correct answers to the account’s “Security Questions”
The user must have previously set two Security Questions and Answers. Correct answers must be provided.
If the account is 2FA-enabled, the user must also…
Once all of this is completed, the user is allowed to reset the account password and may then login with their new credentials.
After providing their username and new password, 2FA-enabled users must, again, provide a valid second factor response.
Requirements and Limitations
HTTP/S Listener Must Allow Reset Requests
If the Allow Password Reset Requests option is disabled, the “Forgot your password?” link will not appear on the login page.
Native Cerberus Accounts Only
Password reset is not permitted for AD and LDAP accounts. Users who have forgotten their AD passwords must follow procedures set by their Windows Domain administrators to reset it. For security reasons, this is considered out of Cerberus FTP Server’s scope of operation.
Account Setup Required
An account must have certain properties set before forgotten password reset can be used with it.
- First Name
- Last Name
- Valid email address
- Security Questions and Answers
- Can only be set by the end-user
- 2FA either Disabled or Enabled
- Password Reset is unavailable if 2FA is in the Locked-out or Pending Activation states
- Can only be set up by the end-user
We are pleased to release this in Cerberus FTP Server 12.7.0 Enterprise Edition. This change was the direct result of customer feedback, so please keep it coming! Let us know how we’re doing and what you want out of Cerberus FTP Server.