Stories

1
Consumer Commerce
CAM to IDP - Password Migration
Journeys and Requirements
30 October06 November 2013
Version 0.32
Charlie Johnston

2

Version Control
No. Release Date Author Notes
0.1 24 Oct. 13 Charlie Johnston First complete draft.
0.2 30 Oct. 13 Charlie Johnston Version Control added
Introduction added
Username rules added
Login/out journey added
Ref. to Simple Sign Up and Subscription documentation
added
User Changes Email Address journey added
Requirement C6 (User Changes Password journey) added
Requirement T2 (Telephone Sales journey) added
Email and Page Summary branding column added
Training updated (re. THINK orders)
Migration (NFR) requirements added
0.3 06 Nov. 13 Charlie Johnston (Un)Suspend Account modified to cover automatic account
suspensions.
Social Network Sign-up clarified to cover Registration and
subscription.
Email and Page Summary tidied and Forgotten Password
email removed (same as Set Password)

3

Contents
Version Control ....................................................................................................................................... 2
Introduction ............................................................................................................................................ 4
General Rules .......................................................................................................................................... 4
Password Rules ................................................................................................................................... 4
Username Rules .................................................................................................................................. 4
Journeys .................................................................................................................................................. 5
Login/out ............................................................................................................................................. 5
Lite Registration .................................................................................................................................. 5
Subscription ........................................................................................................................................ 5
User Changes Email Address ............................................................................................................... 6
Forgotten Password ............................................................................................................................ 7
User Changes Password ...................................................................................................................... 9
Inbound/Outbound (Telephone) Sales ............................................................................................. 10
CSR Resets Password ........................................................................................................................ 11
Social Network Sign-up ..................................................................................................................... 12
Disconnect Last Social Account ......................................................................................................... 12
(Un)Lock Account .............................................................................................................................. 13
(Un)Suspend Account ....................................................................................................................... 14
View Login History ............................................................................................................................ 14
Concurrent Sessions .......................................................................................................................... 15
Reset Terms and Conditions ............................................................................................................. 15
Email and Page Summary...................................................................................................................... 16
Emails ................................................................................................................................................ 16
Pages ................................................................................................................................................. 16
Non-Functional Requirements .............................................................................................................. 17
Volumetrics ....................................................................................................................................... 17
Training ............................................................................................................................................. 17
Migration .......................................................................................................................................... 17

4

Introduction
The CAM to IDP project aims to consolidate identity in the Context Space identity provider and de-
couple login and identity from the Think subscription system. Part of this project aims to migrate
password management to IDP and to introduce some improved security practices. For more details
see the wiki page
http://wiki.news.com.au/display/ARCH/Think+To+IDP+Password+Migration
This document describes all user journeys affected by the password migration to IDP, and lists all
associated requirements.
General Rules
Applies to all sites with registration, currently supported by CAM and THINK (TA, HS, DT, CM, AA, PN,
FS) and all future sites with registration.
Password Rules
The following validation rules are applied when a user sets their password (at any location):
Mandatory field
6 to 20 alphanumeric characters
No spaces
Case sensitive
Accept special characters, e.g. !@#$%^&*()_+|}{":?><
No Requirement Priority
R1 In all locations where the user sets their password (registration, subscriptions, reset
password, change password) the relevant client-side validation checks are
performed and appropriate error messages are displayed.
Must
R2 Where the user sets their password, the relevant server-side validation checks are
performed and appropriate error messages are displayed.
Must
Username Rules
U1 All registered users must provide an email address as their username. Must
U2 Each registered users must have a unique username. Must
5

Journeys
Login/out
On providing their username (email) and password, a user is logged in to the masthead or My
Account. An error message is shown for incorrect username-password combinations. See journey
(Un)Lock Account (later) for multiple incorrect login attempts.
Using clicking Logout button in the masthead or My Account is logged out.
G1 Log in users who provide correct username-password combinations. Must
G2 Show error message to users who provide incorrect username-password
combinations.
Must
G3 Logout users who click logout. Must
G4 On login/out on the masthead, the user is returned to the same page from where
they first selected to login/out.
Must
User enters username and password, clicks Next. Request is sent to IDP. IDP makes ECS request for
authentication. IDP would now authenticate itself and send response to
LoginController.processIdpAssertion
Logout kills session and redirects to a logout url obtained from properties file.
Lite Registration
On providing their name, email, password and postcode the user is registered (with lite access). See
Simple Sign Up documentation in the following location for more details.
\\nwnshsfs01b\nsl_nsg_pmo\Projects\Paid Content Horizon 2\003 - Requirements and
Wireframes\001 - Requirements\23 Simple Sign Up
L1 On lite registration, the (valid) user specified password is stored, allowing them to
log in with it later.
Must
CustomerService.createLightRegistration and
CustomerService.createLightRegistrationAndReturnOrders
Formatted: Normal
Formatted: Normal
6

Subscription
On providing their personal and contact details, password (where not already registered) and
payment (where applicable), the user is subscribed. See Subscription documentation in the following
location for more details.
\\nwnshsfs01b\nsl_nsg_pmo\Projects\Paid Content Horizon 2\003 - Requirements and
Wireframes\001 - Requirements\17 Subscription Process Modifications
Note: Users can also subscribe using a social network account see section Social Network Sign-up
S1 On subscribing, the (valid) user specified username and password is stored,
allowing them to log in with it later.
Must
S2 On subscribing, a password strength indicator is shown. See Simple Sign Up
documentation for more details.
Must
User Changes Email Address
i. User logs in to My Account and changes their email address (must be unique).
ii. The new email address is set as their username (password is unchanged).
iii. An email is sent to both the old and email addresses to confirm the change.
iv. The user remains logged into My Account but is logged out of the masthead. They must use
the new email address on next login to either.
E1 On changing their email address, the new email address is set as the users
username.
Must

7

Forgotten Password

Existing User Journey

New User Journey

Email sent containing random password
(and link to My Account Change Password)
Confirmation page saying
temporary password has been sent
Password reset is confirmed
Email sent with link to page where
they can set a new password
Confirmation page saying
instructions have been sent
Email has network branding (not MH specific)
Random password does not have to be
changed (can be used to log in to MH)
Link to My Account requests login with new
password, then change password (see later)
Locations:
Log In lightbox & page
Social linking (signupfinal)
Disconnect last social
account
Various emails from THINK
Apps
Error message for invalid
or unrecognised email
8

F1 To have the Forgotten Password link in all the same locations as currently.
(Preferably the URL will not change, so no development required).
Must
F2 To have a Forgotten Password page with appropriate copy and creative, with
masthead branding.
Must
F3 On the Forgotten Password page, email format validation check is performed
and appropriate error messages is displayed.
Must
F4 On the Forgotten Password page, recognised email check is performed and
appropriate error message is displayed.
Must
F5 On the Forgotten Password page, on receiving a valid, recognised email
address, present the user with an appropriate confirmation message.
Must
F6 On the Forgotten Password page, on receiving a valid, recognised email
address, send the user an email containing a link to reset their password and an
appropriate message. This email can be network branded for all mastheads.
Must
F7 If the user clicks the reset password link after 72 hours or after they have
already reset their email, they are redirected to a page that explains that the
link is not valid, and provides a link to the forgotten password page.
Must
F8 If the user clicks the reset password link within 72 hours and they have not
already reset their email, they go to a Reset Set Password page that requests
their new password.
Must
F9 Until the user has reset their password, they should be able to login with the
current password.
Must
F10 To have a Reset Set Password page with appropriate copy and creative. This
page can be network branded for all mastheads.
Must
F11 On the Reset Set Password page, request the password twice and check they
are the same.
Must
9

F12 On the Reset Set Password page, on receiving a valid new password, present
the user with an appropriate confirmation message.
Must
F13 On the Reset Set Password page, on receiving a valid new password, present
the user with a link to the (users registered) masthead homepage.
Should
F14 On the Reset Set Password page, on receiving a valid new password, send the
user an email confirming that their password was reset. This email can be
network branded for all mastheads.
Must
F15 The 72 hour link expiry is configurable. Should
F16 Include a CAPTCHA feature to stop attacks on the forgotten password page.
Could set a frequency based algorithm to apply CAPTCHA on suspicious
behaviour, e.g. if the source IP has generated 3 request within 5 min then it is
likely to be a bot activity hence requires CAPTCHA.
Should
User Changes Password
i. Login to My Account.
ii. Navigate to My details > Edit Password.
iii. Enter existing password & new password, click Submit.
iv. Password changed after validation.
v. Email confirmation sent on password change with new password in email.
New User Journey
As above, except new password is not included in the email confirmation.
C1 To have a Change Password page with appropriate copy and creative. Must
C2 On the Change Password page, request the current and new passwords. New
password to be entered twice.
Must
10

C3 On the Change Password page, check the current password is correct and
show appropriate error message if not.
Must
C4 On the Change Password page, on receiving a valid new password, present
the user with an appropriate confirmation message (not shown currently).
MustShould
C5 On the Change Password page, on receiving a valid new password, send the
user an email confirming that their password was reset. This email can be
network branded for all mastheads. It can be the same as for the Forgotten
Password journey.
Must
C6 On the Change Password page, check the new password is different from the
current password and show appropriate error message if not. Theres no need
to compare with older passwords.
Must
Inbound/Outbound (Telephone) Sales
i. Account created and subscription added in DISCO or THINK.
ii. Email address set as username in THINK.
iii. The customer is sent an email (generic branding) containing a temporary password (Temp
+ customer id).
iv. If the user logs into masthead or My Account, they are prompted to change their password
and accept Terms and Conditions.
New User Journey
i. Account created and subscription created in DISCO*.
ii. Email address set as username in ID system.
iii. The customer is sent an email containing a link to set their password.
iv. The user clicks the link and enters their preferred password.
v. Password set is confirmed after validation.
vi. Email confirmation sent on password set (no password in email).
* Creating new customers in THINK should be avoided, as customers would no longer receive the
password email. See Training, later.
11

T1 On account creation (in DISCO or THINK), send the user an email containing a link to
set their password and an appropriate message. This email can be network branded
for all mastheads.
Note requirements for the remainder of the new journey are covered by Forgotten
Password from F7 onwards.
Must
T2 Recording a customers email address, stores it as the username as well, allowing
users to log in with it later.
Must
CSR Resets Password
i. CSR Logs into the THINK Customer Service Interface.
ii. Find Customer and select Reset Password.
iii. The customer is sent an email (generic branding) containing a temporary password (Temp
+ customer id).
iv. If the user logs into masthead or My Account, they are prompted to change their password.
New User Journey
i. CSR Logs into DISCO.
ii. Find Customer and select Reset Password.
iii. The customer is sent an email containing a link to set their password.
iv. The user clicks the link and enters their preferred password.
v. Password set is confirmed after validation.
vi. Email confirmation sent on password set (no password in email).
R1 A facility (probably in DISCO) for Customer Services to reset a customers password. Must
R2 On resetting a customers password, send the user an email containing a link to
reset their password and an appropriate message. This email can be network
branded for all mastheads.

12

Social Network Sign-up
i. User signs up (registers or subscribes) with their social network account (FB, Tw, in, G+).
ii. The customer is sent a welcome email and an email with a news+ password.
iii. If you user wants to log in to the website when their social network is down, or log in to the
app, they must use the news+ password.
New User Journey
i. User signs up (registers or subscribes) with their social network account (FB, Tw, in, G+).
ii. The customer is sent a welcome email (only) with a link to request a news+ password
if/when needed.
iii. The link is the same as for forgotten password.
N1 Include wording and a link in the social sign-up email to request a news+ password.
Must
N2 To ensure the wording on the Forgotten Password page considers social sign-up
customers requiring passwords for the first time.
Must
N3 To remove the temporary password email for social sign-up customers. Must
Disconnect Last Social Account
i. The customer disconnects their last social network account from their news+ account (in My
Account).
ii. The customer is asked if they need a new news+ password.
iii. On accepting, the customer is sent an email with a new news+ password.
New User Journey
i. The customer disconnects their last social network account from their news+ account (in My
Account).
ii. The customer is asked if they need a news+ password. (They may or may not have one
already.)
iii. On accepting, the customer is redirected to the (re)set password page.
13

iv. Password (re)set is confirmed after validation.
v. Email confirmation sent on password (re)set (no password in email).
D1 To show an appropriate message when the customer disconnects their last social
network account.
Must
D1 To provide the socially disconnecting customer with a link to (re)set their
password.
Must
(Un)Lock Account
i. The customer attempts to log in (to the masthead or My Account), but gets the password
wrong 7 times in a row.
ii. The account is automatically locked on the 7
th
attempt.
iii. An email is sent to the user to explain that it will unlock after 30 mins or they can call
Customer Services.
iv. Options:
a. The account is automatically unlocked after 30 minutes.
b. The customer calls Customer Services who unlock the account (using THINK). The
CSR may also reset the password.
Notes:
If the customer clicks the forgotten password link to get a new password, the account
remains locked.
No emails are sent when the account is locked or unlocked.
New User Journey
As above, except the CSRs unlock account facility will not be in THINK (probably DISCO). Also,
performing the reset or forgotten password procedure should automatically unlock the account.
K1 A facility (probably in DISCO) for Customer Services to unlock a customers account. Must
K2 The Forgotten Password journey automatically unlocks the account. Should
14

K3 Automatically send an email when the customers account is unlocked. Could
(Un)Suspend Account
Customer Services A customers account is suspendeds or unsuspendeds the customers account
either manually by a CSR as required,( by (un)checking the Primary Login box in THINK) or
automatically, e.g. as a result of a declined payment. The customer cannot log in and is shown an
appropriate message on attempting to. No emails are sent when the account is suspended or
unsuspended.
New User Journey
As above, except the CSRs suspend account facility will not be in THINK (probably DISCO).
P1 A facility (probably in DISCO) for Customer Services to suspend or unsuspend a
customers account.
Must
P2 Automatically send an email when the customers account is suspended or
unsuspended.
Could
View Login History
The Consumer Commerce Operations and Customer Services can see a history of a customers login
attempts (using THINK). Includes date, time, validate status and IP address. This is useful when
determining refund eligibility and resolving password issues.
New User Journey
As above except feature to be moved to DISCO.
H1 Provide Consumer Commerce Operations and Customer Services with a (secure)
customer login history in DISCO.
Must
15

Concurrent Sessions
A user can log in to the desktop and mobile sites on up to 7 (configurable) sessions per channel
(devices or browsers) at once. The next login attempt evicts the first session.
The tablet app allows only 5 (configurable) sessions. The next login attempt will fail. The customer
can call customer service to flush their sessions.
New User Journey
As above.
A1 Provide a facility to limit concurrent sessions for the desktop and mobile sites.
Note: Apps will be unchanged.
Must
Reset Terms and Conditions
Consumer Commerce Operations can flag that the Terms and Conditions have been reset, forcing
customer to accept them (by checking a box) on next login.
New User Journey
As above.
B1 Provide a facility to reset Terms and Conditions, forcing customer to accept them
(by checking a box) on next login.
Should

16

Email and Page Summary
The following emails and pages are required for the new journeys.
Emails
Email Name Branding Status
Forgotten password Network Modify
Set password Network Modify
Password reset confirmation Network Modify
Set password (new customer) Network Modify
Social sign-up email Masthead Modify
Social temporary password email n/a Remove
Account locked (Could) Network Add
Account suspended (Could) Network Add
Account unsuspended (Could) Network Add
Pages
Page Name Branding User Status
Forgotten/Request Password Masthead Customer Modify
Change Password Masthead Customer ModifyNo Change
Set Password Network Customer Add
Disconnect Last Social Account
Message
Masthead Customer Modify
Unlock Account n/a News Add
(Un)Suspend Account n/a News Add
Login History n/a News Add
Reset Ts & Cs (Should) n/a News Add

17

Non-Functional Requirements
Volumetrics
Function Current /day Projected /day
Forgotten password request <1000
Password Reset unknown
Training
NAA will need training for the following new facilities:
Inbound/Outbound (Telephone) Sales (DISCO)
o To inform customers how they will get their password.
Inbound/Outbound (Telephone) Sales (THINK)
o Avoid this where possible (use DISCO)
o If unavoidable, reset password in DISCO after creating customer in THINK
Reset Password (moving to DISCO)
Unlock Account (moving to DISCO)
(Un)Suspend Account (moving to DISCO)Login History
Migration
M1 Existing registered users should not have to re-register or resubmit their username
(email address) to be able to login.
Must
M2 Existing registered users should not be forced to reset their passwords. Should
M3 Existing registered users should not be logged out other than at their own request
or after the usual 90 days.
Should
M4 Existing registered users should not experience any unreasonable additional delays
on logging in or out or accessing content.
Must

Stories

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Stories

Transféré par

Droits d'auteur :

Formats disponibles

1

Vous aimerez peut-être aussi