Verification passwords
Verification passwords
A verification password provides additional security when performing sensitive actions. RSpace cannot use your standard SSO login password for verifying your identity once you have logged in, since RSpace does not know and cannot check any of your SSO details. That's all done by your own system when you login. Internal RSpace functions that require you to verify your identity include:
- changing email address.
- signing or witnessing documents.
- creating or resetting API keys
- granting the PI role to a user
as well as some other functions.
Why are verification passwords needed?
SSO user sessions may persist for several hours. If you leave your computer unattended without logging out, somebody else could use your session to perform actions on your account. Some sensitive actions could result in irreversible changes, or alter how your account is accessed or managed. Therefore, RSpace prompts for additional authentication for these actions.
If you login to RSpace using your SingleSignOn or Google credentials, authentication is performed by an external service and it's a best practice ro make sure that RSpace has no access to, and does not store these credentials. Essentially, RSpace does not want to know your institutional login password, so a separate password is needed any time you need to verify your identity in RSpace after your organization has already logged you in.
Without the use of an internal secondary authentication mechanism, RSpace has no way to internally authenticate users who logged in using a mechanism that RSpace does not control.
Verification passwords solve this problem.
In the My RSpace panel, you can change the verification password, or if you have forgotten it, you can reset it.
Security
- RSpace stores these passwords using a one-way hashing algorithm with salt. This means that RSpace doesn't know, nor can reconstruct the password you set, but can validate authentication attempts.
- These passwords are only functional within an existing RSpace user session and do not provide a 'backdoor' access to RSpace by-passing SSO authentication.