About this Release

This release is an independent branch of the Infosys Equinox Commerce platform, focusing on password policy improvements and security vulnerability fixes.

Note: There are no backward compatibility changes available in this release.

Key Areas of Focus

Password Policy Improvements

Here is a list of all the password policy improvements implemented for this release:

Expiration Policy

Implementation of expiration policy for login tokens and OTPs to ensure they cannot be reused for multiple session IDs.

Authenticator MFA for Admins

Integrated with Authenticator App (such as Google Authenticator, Microsoft Authenticator, etc.) to enable multi-factor authentication for admin users when these collection properties MFA_enabled and MFA_authenticator_enabled are set to true.

Super Admin Password Policy

  • Super admin can edit the privileges for collection ID 1 under the Configurations tab. The Configurations tab is visible only for super admin users to edit collection ID 1 privileges for customer, auth, and notification.
  • Restricted the use of default passwords for super admin users. Enforced password complexity requirements to ensure the use of complex passwords instead of default ones.
  • Ability to reset MFA for all individual admin users by a super admin user via the Teams tab in the Foundation Admin console.
  • Introduced a dedicated option for super admins to edit and update the privileges of business admins.

User Enumeration

When the account gets locked due to multiple incorrect attempts, an email communication is sent to notify the user (along with a reset password link) of the incorrect attempts made. This is configured in the collection property max_login_attempts with the value “3” for the number of login attempts.

Breached Password Protection

  • In the Customers (User) service, the APIs postBlackListItem, getAllBlackListItem, and deleteBlackListItem have been newly created under the “Black List Item” controller. This reduces the risk of unauthorized access and data breaches, enhancing the organization’s security posture.
  • The new password that is created is validated against the set of common/compromised passwords.

Password Expiry Configuration

Password expiry is to be configured as 60 days by default in the collection property “password_expiry_days” to define the number of days for the password expiration. Users receive an email notification 14 days before their password expires as per the configuration in the collection property “password_expiry_reminder_before_days“.

Password Encryption and Hashing Support

Supports one-way encryption or hashing for the stored passwords. The password cannot be decrypted into clear text to prevent their exposure to password-cracking utilities.

Secure Account Creation with Expiring Passwords

When a business user creates an account, the password should be random and secure, preset to expire upon login, and automatically sent securely to the user via SMS or email.

Minimum Password Age

This setting determines how many days a new password shall be kept before the user can change it. This setting is designed to work with the enforced password history setting so that users cannot quickly reset their passwords the required number of times, and then change back to their old passwords. As per the enforced policy, a user needs to keep the new password for a minimum of 5 days. which is configured in the collection properties: “password_change_interval” and “password_change_limit_interval“.

Minimum Password Length

Ability to maintain the minimum password length via the collection property “passwordMinLength”. The minimum password length is 8 characters.

Enforce Complex Password

This setting determines whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements: Password shall have at least three of the following types of characters:

  • Lowercase alphabetical: Configure the collection property “requiredUpperCase” with the value true.
  • Upper case alphabetical: Configure the collection property “requiredLowerCase” with the value true.
  • Numerical: Configure the collection property “requiredNumber” with the value true.
  • Special characters (Punctuations): Configure the collection property “allowedSpecialChars“; for example, !@#$%^&*_

Account Lock

This policy determines the number of invalid attempts made by a user:

  • Admin User: For account lockout, configure the threshold to “3” by default for an Admin user in the existing collection property “max_login_attempts”.
  • Domain Account Lockout Policy: The Domain Account Lockout policy setting is configured as follows:
    • For account lockout duration, configure the collection property max_login_attempts with the value “0” to lock the account permanently until it automatically unlocks after 24 hours, or via the super admin we should be able to unlock it.
    • For the account lockout threshold, configure the collection property max_login_attempts with the value “3” for the number of login attempts (for both the default & stringent accounts).
    • For the new collection property login_attempt_expiry_millisecs with the value in milliseconds (for example, 86400000 for 1440 minutes (24 hours), which helps to unlock the account based on the defined value.
  • Flexible Account Lockout Policy: A stringent account lockout threshold is available for privileged users, high-profile users, and project users (based on the project requirement/compliance) and is assigned based on the requirement. The account lockout threshold is set as “3”. It’s applicable for both default and stringent accounts.
  • Reset Account Lockout: Ability to reset the account lockout automatically once it permanently locks after “n” number of invalid logins. The Reset Account Lockout counter determines the number of minutes that shall elapse after a failed login attempt before the bad logon attempt counter is reset to “0” bad logons. The new collection property reset_account_lockout_counter is set as 86400000 (in milliseconds).

Enforce Password History

This setting determines the number of unique new passwords a user shall use before an old password can be reused. As per the enforced policy, a user is not allowed to reuse the last 12 passwords while changing the domain password. The default value for retaining old passwords is set to 12 in the collection property “last_password_check_count”. An alert message “Previously used 12 passwords cannot be reused.” is shown when trying to reset the password from the My Account profile page.

Open-Source Library Vulnerability Fixes

  • The unique security vulnerability that has been patched in the Infosys Equinox Commerce platform is 1 vulnerability.
    • Vulnerability Severity Level: Medium – 2

 

Revision History
2024-08-21 | JP – Added content for Release 8.17.6