Comment by mooreds
2 days ago
Another common reason to do a force password reset is if they've moved authentication providers and were not able to bring their hashes along. Some providers don't allow for hash export (Cognito, Entra).
2 days ago
Another common reason to do a force password reset is if they've moved authentication providers and were not able to bring their hashes along. Some providers don't allow for hash export (Cognito, Entra).
Or just if they changed to a more secure hash algorithm themselves and want to upgrade users still on the older insecure one.
This can be done at login time without the user noticing, as you have the plaintext password for a moment.
Yeah, this is the best practice. We offer that in our product.
But it's possible that you could follow the best practice and still force a reset. This could be because:
* the customer or provider doesn't want to wait for everyone to log in
* they've waited for N months and now there is a block of users who have not logged in yet and they think it is worth the user annoyance to just force them all to reset their password
They could do that by comparing against the old hash and if it matches generate the new hash to store somewhere.