Enabling application passwords

Application passwords can be used to provide a secure login for applications that do not support forms-based authentication. For example, they can be used to access applications that require passwords on a mobile device or for organizations that use federated identity and service login passwords are not used. When you enable application passwords, you also have the option of requiring the use of application passwords, and of allowing mobile users to bypass IP restrictions.

About this task

If you require an application password, then the service login password is disabled for the application, and users must log in using the application password. For example, users would be required to use the application password to log in to the service on a mobile device or in a browser. However, they could still use the service login password to log in to the service web site and for other applications. If you do not require an application password, then users can continue to log in from a browser, for example, using their service login password.
If you allow mobile users to bypass IP restrictions, application passwords provide an additional layer of password strength. This is due in part to their length (16 characters) and because they are generated using a strong random number generator. If a mobile device is lost or stolen, you can then disable the IP restriction bypass which prevents access to the application outside your organization's designated IP range.
Note: If you enable application passwords and select the Ignore IP range restrictions for applications setting to allow users to bypass IP restrictions, the setting does not apply to Windows Phone or Windows Tablet users. If you restrict login to a specific IP range, Windows Phone and Windows Tablet users must log in from network locations within the range.

You can also disable the use of application passwords at any time. Then, if users have created an application password, the application cannot be accessed because the password is no longer effective.

Tip: Users can also prevent access to the application by revoking their application password, which they can do at any time.

Organizations that do not use federated identity can disable the use of the standard service password for mobile applications.

Procedure

  1. Select Administration > Manage Organization.
  2. In the navigation pane, under System Settings, click Security.
  3. Under Password Settings, click Edit Settings.
  4. Select Allow users to generate application passwords.
  5. Select any of the following options that apply, and then click Save Changes.
    Table 1. Application Password Options
    Option Result
    Expiration Select a password expiration interval or select No expiration if you do not want application passwords to expire.
    Ignore IP range restrictions for applications Users will be able to access applications from outside the organization's designated IP range. However, they cannot access it using the service login, they must use an application password instead. For more information about specifying IP address ranges, refer to Requiring client IP addresses to be within specified IP address ranges
    Require applications to use application passwords to access this site This option restricts the supported authentication flow to application passwords. It prevents users from logging to this site using their service login password.

    This option does not display for organizations that use federated identity.

Results

After you enable this feature, users can create and manage application passwords in My Account Settings in the service. General information about how users manage their application passwords is listed here.
  • If enabled, users can generate an application password for the IBM® Traveler.
  • Application passwords can be shared across mobile products, including IBM Traveler, IBM Sametime®, and Connections Cloud.
  • If you did not select the option Require applications to use application passwords to access this site, then using an application password is optional for users. However, if you have IP range restrictions enabled, they will not be able to log in using their service password unless they are within the IP range.
  • Application passwords are generated by the service when requested by users. The generated passwords displays to the user only once, and cannot be recovered.
  • Users can revoke and generate a new application password at any time. There is no limit to the number that can be generated.
  • Passwords are generated using cryptographically strong random number generator. They are 16 characters long, and not case sensitive. Users should enter the password once into their device and allow the device to save the password.
  • If there are ten failed login attempts, the account is locked for three minutes.

What to do next

If you selected Applications must use the generated password to access this site, or if you allowed users to bypass the specified IP range, instruct them to generate application passwords. For information on how users generate application passwords see Application passwords for mobile access.