A verification password provides additional security when performing sensitive actions, such as
- changing email address.
- signing or witnessing documents
- creating or resetting API keys
Why are verification passwords needed?
SSO user sessions may persist for several hours. If you leave your computer unattended without logging out, somebody else could use your session to perform actions on your account. Some sensitive actions could result in irreversible changes, or alter how your account is accessed or managed. Therefore, RSpace prompts for additional authentication for these actions.
If you login to RSpace using your SingleSignOn or Google credentials, authentication is performed by an external service and it's a best practice ro make sure that RSpace has no access to, and does not store these credentials. Essentially, RSpace does not want to know your institutional login password, so a separate password is needed any time you need to verify your identity in RSpace after your organization has already logged you in.
Without the use of an internal secondary authentication mechanism, RSpace has no way to internally authenticate users who logged in using a mechanism that RSpace does not control.
Verification passwords solve this problem.
- RSpace stores these passwords using a one-way hashing algorithm with salt. This means that RSpace doesn't know, nor can reconstruct the password you set, but can validate authentication attempts.
- These passwords are only functional within an existing RSpace user session and do not provide a 'backdoor' access to RSpace by-passing SSO authentication.