Hi Darnell
In my solution I had the user authenticate with AD credentials on the End User Login screen and challenge/response set to No. This meant the user had to know their network user Id and password to login to request a password reset. I had this solution so the user would not need to register questions (as well as the client already had a PSS solution for elsewhere and didn't want to duplicate).
The password would then be emailed out which again would also mean access to Email (I assume they would have that if they know the network login). In other threads, people had looked at sending a URL instead.
I did not see any additional risk to this approach than using SSO based on AD credentials to access SAP in the first place
If you set Verification to No and used Challenge Response then you would have a risk that the Challenge Response questions could be changed. Possibly (if GRC is not doing this already) there needs to be a challenge response scenario to changing your existing answers if you have already enrolled. You, however, then relying that the user enrol the first time and not someone else doing this.
Regards
Colleen
