User Management Improvements
By: Shaun Walker
Up until Oqtane 3.1, the primary authentication method available in Oqtane was based on logging in via a local user account. This functionality relies on the standard .NET Core Identity provider however Oqtane used a customized implementation to enable the user interface to be written using native Blazor components. However the customized implementation did not provide full support for all of the .NET Core Identity capabilities, so as a result the 3.1 release has added a variety of additional features in this area. These were added to the Settings tab of the User Management page.
Ensuring your users utilize sufficiently complex passwords is vital to the integrity of your site. The default password criteria has been significantly hardened in 3.1 and there is now the ability to customize the criteria per site as well. Increased password complexity makes it more difficult for users to enter their passwords correctly, so a feature has been added to Login to allow a user to view the password they entered if they are having difficulty.
The user lockout feature is a way to improve application security by locking out a user that enters a password incorrectly several times. This technique can help protect against brute force attacks where an attacker repeatedly tries to guess a password. This feature is now enabled by default in 3.1 and there is an ability to customize the criteria per site as well.
Two factor authentication (also called 2FA, multi-factor, or MFA) is a process in which a user is requested during a sign-in event for additional forms of identification. Requiring a second form of authentication significantly enhances security as the additional factor cannot be easily obtained or duplicated by an attacker. The 3.1 release now allows a user to specify if they wish to enable two factor authentication in their account. Please note that the Admin needs to enable this feature and the only supported delivery mechanism at this time is email notifications.