Passwords in Koha

Passwords in Koha

Koha has several system preferences and patron category customizations for setting up and keeping passwords up to date.
  1. minpasswordlength - how long should the password be - at a minimum!
  2. RequireStrongPassword - a strong password for staff and patrons (must contain at least one digit, one lowercase, and one uppercase).
These system preferences can be configured at the patron category level, which will override the global system preference setting.

Patron Passwords

Koha gives libraries the option to allow patrons to manage their passwords. These two system preferences:
  1. OPACpasswordChange - patrons to change their own password on the OPAC
  2. OPACresetpassword - Library patrons are not allowed/ allowed to recover their password via email in the OPAC.
These system preferences can be configured at the patron category level, which will override the global system preference setting.

How to Change a Password in the OPAC

If you have forgotten your password, there is a "Forgot your Password" link underneath the Login Area. Once this is clicked, you will be asked for your Login or Email. This information will ensure that the "Forgot your Password' email goes to you. Next, check your email for a link to log into the public catalog. The link in the email will only last 2 days, so if you get distracted and forget about this you will need to go through these steps again. 

Clicking the link in your email, will bring you back to the OPAC and allow you to enter a new password. The length and complexity will be stated above the password box. After this has been done, you may log into the OPAC and start finding some great books to read!

Changing a Password

Some libraries give a standard password to new patrons and will encourage you to change your password for security. Changing your password is very easy on the OPAC. Log into your account using your user name and password. Once in your account summary, there will be a "Change your Password" tab on the left of the screen. Enter your new password and confirm!

Tutorial


Can I Enforce a Password Reset on First Login for a Staff Account?

Enforcing a password reset for new Koha staff accounts is simple with the new password expiration functionality introduced in 22.05.

While you do have the option to require staff accounts to expire at predetermined intervals at the patron category level, the ability to manually expire a password can be used on individual account as a one-time tool for new staff accounts.

Once you have created a new account with staff permissions in Koha and a pre-generated password that can be conveyed securely to the new employee, head over to the Library Use portion of the account, and edit to modify the password expiration date to a date that has already passed.



What the user will see next hinges on some system preferences. Either path forward begins with a warning box that the account is expired, with a link to reset.

One possibility is to set the EnableExpiredPasswordReset system preference to "Enable the ability for patrons to directly reset their password when it is expired. If not enabled patrons must either use the 'Forgot your password' feature or have staff reset their password."

If this preference is enabled, the user is directed to the OPAC update password landing page, where they will need to enter their user name or card number, expired password, and new one. Once it has been successfully reset, they will have buttons to go to the OPAC or their staff account with the new credentials.

If EnableExpiredPasswordReset is not enabled but OpacResetPassword is, they will also see the expired account warning and be redirected to the OPAC update password page. There, they will reset their password like a patron would, entering their user name and email associated with the account. A password reset email will be sent to that email, and they can reset from there.

Once the password has been reset, the password expiration field will revert to its default behavior. If the patron category is set to automatically expire passwords, a new expiration date will set based on the category default, but if the patron category does not enforce password expirations, the password expiration date will return to 'Never.'

Two-Factor Authentication (2FA)

Two-factor authentication uses a time-based one-time password (TOTP). A TOTP is a password that can only be used once and is only valid for a limited time.

Staff can use an authentication app to generate TOTPs. Any authenticator app, such as Google Authenticator, and OTP, FreeOTP, and many others can be used. Applications that enable the backup of their 2FA accounts (either cloud-based or automatic) are recommended.

System Preference

  1. Go to administration and select Global System Preferences.
  2. Search for TwoFactorAuthentication.
  3. There are 3 options, enable, don't enable and enforce.
  4. Turn on the two-factor authentication by selecting enable.
  5. Click save all staff interface preferences.

Patron Account

  1. Navigate to My Account (your patron account).
  2. Select the More dropdown from your account and select manage two-factor authentication
  3. The status should be ‘Disabled’ when first going to this page.
  4. Click the button to enable two factor authentication
  5. A QR code will be presented on the screen. Scan the code using an authenticator app from the suggestions above.
  6. Once the QR code is scanned, the app will return a time-based PIN code.
  7. Enter the PIN in the PIN code field and click ‘Register with two-factor app’.
  8. The status of the two-factor authentication will now be enabled.

Logging into the Staff Interface

  1. You will enter your username and password and click login.
  2. You will then be prompted to enter a pin
  3. Open your authenticator app, generate a time-based one-time password, and enter it in the field in order to log in.

Disable Two-Factor Authentication

If you would like to disable two-factor authentication, follow the steps below.
  1. Navigate to your account in the staff interface.
  2. Select the More dropdown and then Manage two-factor authentication.
  3. Click ‘Disable two-factor authentication’.

    • Related Articles

    • Customizing the OPAC

      There are many ways to customize the OPAC in Koha. This includes custom colors, adding coverflows, customizing search, and adding custom news and content. Using the Galadriel Plugin to Customize the OPAC The Galadriel plugin is a great tool to ...

    • How to use the OPAC cart in Koha

      In the Koha OPAC, patrons can download lists of items to use for homework and research papers, to populate bibliographic management tools like Zotero and Endnote, or just to help track their personal reading goals. For instance: a patron wants to ...

    • Managing Patron Categories

      Patron Categories are created and configured in Administration > Patrons and Circulation. The configuration allows the library to define default settings that are applied at the time of registration. Passwords ...

    • Lists in Koha

      Staff can curate lists for both the OPAC and also for internal use for the Library. When creating a new list, a staff member will go to the top static bar or choose the List module from the main page of the staff interface. From here there is a "New ...

    • Novelist Integration with Koha

      NoveList Select is a great way to recommend "read a-likes" to your patrons. It is an easy integration for a library to set this feature up in Koha for both the OPAC and staff interface. Integrating NoveList Select into Koha NoveList Select can be ...