#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Forgotten password: Domino self-service password change using SMS password delivery

When a user requests a new password because they forgot it (either by using a Notes Client or by using a Browser), Domino should be able to automatically set a new password for a user and deliver it to the user via SMS to their mobile phone number (if defined in the Person Document).

For additional security at this unauthenticated stage, additional features should be available, such as:

  • Security questions/answers initially pre-defined by the user, or autogenerated by Domino
  • Anomaly detection by an integrated Domino Watson service (e.g. based on source IP number)
  • Re-Captcha
  • Other features definable by the Administrator

Domino should log the event in an auditable way, and inform Domino operators about the event.

  • Guest
  • Jul 31 2018
  • No Plans to Implement
  • Attach files
  • Guest commented
    7 Jun, 2021 07:37am

    @Thomas Hampel: I disagree.

    The one-time password could be configured in a way that it does not work unless a security question is answered correctly. (basically a 2nd factor) In addition, the OTP can be configured to expire after a short amount of time.

  • Admin
    Thomas Hampel commented
    6 Jun, 2021 04:17pm

    Delivering passwords via SMS means that they would be sent in clear text, so need to reject this idea because this is insecure.

  • Guest commented
    21 Oct, 2018 11:23pm

    In response to "SMS is inherently insecure" : What alternative communication channel would you suggest, that is less broken than email and SMS?

    And the other aspect is, if a platform provides a certain feature, organizations are free to use it, or not. But if the feature isn't there, organizations may be stuck with expensive and slow callcenter-based processes.

  • Guest commented
    29 Aug, 2018 12:04am

    Most of the companies I work for, and mine, would not  be able to honor/implement/support the new password being in the e-mail, because of regulatory compliance to "protect the user",  but a temp password that works for next "hour" or so should/might get past those internal and external fear-based auditors.

  • Guest commented
    24 Aug, 2018 09:02am

    SMS is inherently insecure, as multiple examples exist of SIM spoofing. With Identity theft using SIM spoofing on the rise, I would rather see this feature NOT implemented.

  • Guest commented
    2 Aug, 2018 08:45am

    I would imagine that there would already be one or more business partner that have already built a self service password reset solution. So personally I would prefer if to buy / use those product so HCL developer can spent their time doing other request. IMHO, this is a Win - Win solution for everyone.

  • Guest commented
    1 Aug, 2018 07:08am

    This request goes into the direction of my ticket https://domino.ideas.aha.io/ideas/DOMINO-I-93