Cerberus FTP Server 12.7 now supports “Forgot your password?” password reset for accounts with Two Factor Authentication (2FA) enabled.

What’s Changing?

Prior to 12.7, accounts with 2FA enabled were simply not allowed to use the “forgotten password” reset.

Following requests from customers, we carefully reviewed the security of our 2FA and password reset features, and concluded we could safely allow 2FA-enabled users to utilize password reset.

With a goal to reduce IT overhead on user maintenance, this change speaks to the concerns of our customers, greatly easing administrative burden while remaining secure and consistent with industry best practices.

How Password Reset Works With 2FA

Let’s walk through the complete password reset workflow for a user. It may also be helpful to review our support documents detailing how to set up 2FA in Cerberus FTP Server.

The “Forgot your password?” link appears on the login page when the HTTP/S listener has Allow Password Reset Requests enabled:

Login page, emphasizing the "Forgot your Password link".
This provides users who’ve forgotten their password a method to reset it, so long as they prove their identity by other means. When they click the link, Cerberus FTP Server guides users through a multi-step workflow, giving them them the opportunity to prove their identity and change the account password.

Cerberus FTP Server considers the user’s identity proven when they…

  1. Provide the account’s username, first name, and last name
    First step of password reset, provide username, first name, and last name.
  2. Prove they have access to the account’s email address
    Cerberus generates a cryptographically secure random link and sends it to the email address associated with the given account. The user must receive this email and click the contained link.
    An example password reset email containing a link to the next step of the workflow.
  3. Provide correct answers to the account’s “Security Questions”
    The user must have previously set two Security Questions and Answers. Correct answers must be provided.
    Example of the Security Question prompt

If the account is 2FA-enabled, the user must also…

  1. Provide the correct 2FA response
    TOTP (Time-based One Time Passcode) code or DUO response
    2-Factor Authentication Code Prompt

Once all of this is completed, the user is allowed to reset the account password and may then login with their new credentials.
Change Password Dialog
After providing their username and new password, 2FA-enabled users must, again, provide a valid second factor response.

Requirements and Limitations

HTTP/S Listener Must Allow Reset Requests

If the Allow Password Reset Requests option is disabled, the “Forgot your password?” link will not appear on the login page.
Listener configuration page, highlighting the "Allow Password Reset Requests" option

Native Cerberus Accounts Only

Password reset is not permitted for AD and LDAP accounts. Users who have forgotten their AD passwords must follow procedures set by their Windows Domain administrators to reset it. For security reasons, this is considered out of Cerberus FTP Server’s scope of operation.

Account Setup Required

An account must have certain properties set before forgotten password reset can be used with it.

  • First Name
  • Last Name
  • Valid email address
  • Security Questions and Answers
    • Can only be set by the end-user
  • 2FA either Disabled or Enabled
    • Password Reset is unavailable if 2FA is in the Locked-out or Pending Activation states
    • Can only be set up by the end-user

Conclusion

We are pleased to release this in Cerberus FTP Server 12.7.0 Enterprise Edition. This change was the direct result of customer feedback, so please keep it coming! Let us know how we’re doing and what you want out of Cerberus FTP Server.