Summary
To improve the security of the PBX, end users will no longer use their voicemail pin to login to
the portal/api. A new “password” field will be exposed for each PBX user which will store the
password that is used to authenticate with the PBX via the Portal/API. Once a password has
been defined for the user the user will use their password going forward to access the PBX
Portal/API. Users will continue to use their voicemail pin to access their voicemail.
Affected Applications
The introduction of the secure password will affect the PBX Portal/API and any application
which leverages it for authentication. This includes:
Schedule
The following section describes the process by which passwords will be defined for existing
users. This rollout will be performed in 3 phases. The dates that each phase begins along with
the details of the phases are outlined below.
Phase 1: Warn Users To Define a Password
11/5/2018 - When a user logs into the portal, the portal will warn users that their password
needs to be set in the next 30 days via a flash message centered at the top of the page.
Phase 2: Force Users To Define a Password
11/19/2018 - When a user logs into the portal who has not yet set a password, they will be
forced to define a password before navigating further into the portal. They will also be forced to
redeclare their voicemail pin. There is a new blacklist of voicemail pins containing frequently
used pins such as 1111, 1234, etc. Users will not be allowed to declare voicemails pins found in
the blacklist. Upon filling out the password update form, the user will be logged into the portal.
Phase 3: Direct Users to “Reset Password” Flow.
12/3/2018 - Users who have not yet defined a password will be directed through the “Password
Reset” flow upon logging in with their voicemail pin. See the Password Reset section of this
document for more details on this flow.
New User - Welcome Email
The Portal can now be used to generate a welcome email to users to facilitate their access to
the PBX. The email contains an auth code. When selecting “Complete Setup”, the system
validates the auth code in link and takes the user to the portal to establish New User
Credentials.
Upon Entering the New Password and New Voicemail PIN, the user will be logged into
the portal and directed to their Home Page.
Sending Welcome Emails
Welcome emails can be generated two ways:
1. The system administrator sends the welcome email when setting up users, or using the
bulk action to send emails.
2. New users can trigger the email by clicking the Are you a new user? link on the login
page. After clicking the Are you a new user? link the user will be prompted to enter their
email address and extension if known. If their email address is not yet in the system, or
the email address and extension do not match what is in the system, they will receive a
notification to contact their administrator. If the email address and extension complete
validation in the system, the user will receive a notification in the portal and a welcome
email.
Password Reset
Password resets can be initiated by the user or by an administrator. The following steps occur to
complete a password reset:
1. Upon triggering the reset, the user will receive an email to reset their password, like
below.
2. Selecting “Reset Password” will direct the user to the Password reset page.
3. Upon entering and confirming the new password, and selecting “Save”, the user will be
logged into the portal.
Password Change At Will
If the user knows their login name and simply wants to change/update their password, they can
log in to the portal and navigate to their Profile.
1. Once in the Profile, the user can scroll to “Change Account Security”, where they have
the ability to:
a. Change their email address.
b. Enter a new secure password(same restrictions applied and verified).
c. Verify changes by entering the current password.
d. Once Updated, the user will see a green pop up stating the Profile has been
updated and the user will remain logged into the portal.
Existing User Credentials Recovery
If a user has forgotten their Login Name or Password, they now have the option to recover their
credentials via the login page.
Forgot Login Name
After clicking the “Forgot Login Name” link on the login page, the
Forgot Login Name will Prompt for the User Email and (Optional) Extension
If the email (and extension) match the user in the system, a Login Name Request email will be
sent the user email. If validation fails, the user will receive a error message in the portal
prompting them to contact their administrator. Validation can fail if the email and extension are
duplicated on more than one domain; for example, if the email address first.last@gmail.com and
extension 1001 are both used in domain abc-company.11111.service and domain
acme.11111.service, this creates a collision.
Forgot Password
Clicking the Forgot Password link on the login page will prompt the user for their Login Name.
If the user enter a known login name, they will be taken through the Password Reset flow.
Jason Lord
Summary
To improve the security of the PBX, end users will no longer use their voicemail pin to login to
the portal/api. A new “password” field will be exposed for each PBX user which will store the
password that is used to authenticate with the PBX via the Portal/API. Once a password has
been defined for the user the user will use their password going forward to access the PBX
Portal/API. Users will continue to use their voicemail pin to access their voicemail.
Affected Applications
The introduction of the secure password will affect the PBX Portal/API and any application
which leverages it for authentication. This includes:
Schedule
The following section describes the process by which passwords will be defined for existing
users. This rollout will be performed in 3 phases. The dates that each phase begins along with
the details of the phases are outlined below.
Phase 1: Warn Users To Define a Password
11/5/2018 - When a user logs into the portal, the portal will warn users that their password
needs to be set in the next 30 days via a flash message centered at the top of the page.
Phase 2: Force Users To Define a Password
11/19/2018 - When a user logs into the portal who has not yet set a password, they will be
forced to define a password before navigating further into the portal. They will also be forced to
redeclare their voicemail pin. There is a new blacklist of voicemail pins containing frequently
used pins such as 1111, 1234, etc. Users will not be allowed to declare voicemails pins found in
the blacklist. Upon filling out the password update form, the user will be logged into the portal.
Phase 3: Direct Users to “Reset Password” Flow.
12/3/2018 - Users who have not yet defined a password will be directed through the “Password
Reset” flow upon logging in with their voicemail pin. See the Password Reset section of this
document for more details on this flow.
New User - Welcome Email
The Portal can now be used to generate a welcome email to users to facilitate their access to
the PBX. The email contains an auth code. When selecting “Complete Setup”, the system
validates the auth code in link and takes the user to the portal to establish New User
Credentials.
Upon Entering the New Password and New Voicemail PIN, the user will be logged into
the portal and directed to their Home Page.
Sending Welcome Emails
Welcome emails can be generated two ways:
1. The system administrator sends the welcome email when setting up users, or using the
bulk action to send emails.
2. New users can trigger the email by clicking the Are you a new user? link on the login
page. After clicking the Are you a new user? link the user will be prompted to enter their
email address and extension if known. If their email address is not yet in the system, or
the email address and extension do not match what is in the system, they will receive a
notification to contact their administrator. If the email address and extension complete
validation in the system, the user will receive a notification in the portal and a welcome
email.
Password Reset
Password resets can be initiated by the user or by an administrator. The following steps occur to
complete a password reset:
1. Upon triggering the reset, the user will receive an email to reset their password, like
below.
2. Selecting “Reset Password” will direct the user to the Password reset page.
3. Upon entering and confirming the new password, and selecting “Save”, the user will be
logged into the portal.
Password Change At Will
If the user knows their login name and simply wants to change/update their password, they can
log in to the portal and navigate to their Profile.
1. Once in the Profile, the user can scroll to “Change Account Security”, where they have
the ability to:
a. Change their email address.
b. Enter a new secure password(same restrictions applied and verified).
c. Verify changes by entering the current password.
d. Once Updated, the user will see a green pop up stating the Profile has been
updated and the user will remain logged into the portal.
Existing User Credentials Recovery
If a user has forgotten their Login Name or Password, they now have the option to recover their
credentials via the login page.
Forgot Login Name
After clicking the “Forgot Login Name” link on the login page, the
Forgot Login Name will Prompt for the User Email and (Optional) Extension
If the email (and extension) match the user in the system, a Login Name Request email will be
sent the user email. If validation fails, the user will receive a error message in the portal
prompting them to contact their administrator. Validation can fail if the email and extension are
duplicated on more than one domain; for example, if the email address first.last@gmail.com and
extension 1001 are both used in domain abc-company.11111.service and domain
acme.11111.service, this creates a collision.
Forgot Password
Clicking the Forgot Password link on the login page will prompt the user for their Login Name.
If the user enter a known login name, they will be taken through the Password Reset flow.