AAAI-03

For customers not using SSO, can you enforce password/passphrase complexity requirements (provided by the institution)?

Explanation

This question is asking whether your system can enforce custom password complexity requirements specified by the institution (customer) for users who are not using Single Sign-On (SSO). Password complexity refers to rules that make passwords stronger and harder to guess, such as minimum length, requiring special characters, numbers, uppercase letters, etc. Why this matters in security assessments: 1. Strong passwords are a fundamental security control to prevent unauthorized access 2. Different organizations have different security policies and compliance requirements 3. The ability to customize password requirements allows institutions to align your service with their internal security policies SSO users typically authenticate through their institution's identity provider, so they follow the password rules of that system. This question specifically addresses non-SSO users who authenticate directly with your service. A good answer should clearly state whether your system: - Can enforce custom password complexity requirements - What specific parameters can be customized (length, character types, expiration, etc.) - How these customizations can be implemented (admin portal, API, support request, etc.) - Any limitations to customization capabilities

Example Responses

Example Response 1

Yes, our platform allows institutional administrators to configure custom password complexity requirements for non-SSO users through our admin portal Configurable parameters include: minimum password length (8-30 characters), required character types (lowercase, uppercase, numbers, special characters), password history enforcement (preventing reuse of 1-24 previous passwords), maximum password age (30-365 days), and account lockout thresholds (3-10 failed attempts) These settings can be applied globally or to specific user groups We also support password complexity validation via regular expressions for institutions with specialized requirements.

Example Response 2

Yes, our application supports customizable password complexity requirements for direct authentication users Institutions can specify their requirements during onboarding, and our support team will configure these settings in our system We can enforce minimum length (8+ characters), character composition requirements (uppercase, lowercase, numbers, symbols), password expiration periods, and account lockout policies While these settings cannot be changed directly by institutional administrators, they can be updated at any time by submitting a change request through our customer support portal, with changes typically implemented within 24-48 hours.

Example Response 3

No, our system currently has fixed password complexity requirements that cannot be customized per institution All non-SSO users must follow our standard password policy, which requires a minimum of 8 characters including at least one uppercase letter, one lowercase letter, one number, and one special character Passwords expire after 90 days and users cannot reuse their previous 5 passwords While we understand the desire for customization, our current architecture doesn't support institution-specific password policies We recommend using our SSO integration for institutions that need to enforce their own password requirements.

Context

Tab: Product
Category: Authentication, Authorization, and Account Management