Greetings, Zoho One Admins!
This forum post is for every admin user who signed up before March 6, concerning a couple of changes in the Reset Password flow, which are set to take effect from June 4.
The current flow allows a Zoho One admin to reset the password of any user of the organization, irrespective of the verification status of their email domain. To put it simply, a Zoho One admin can even reset the password of a user whose email domain isn't verified in Zoho One yet. Examples of such users with unverified domains who can co-exist with other users in an organization include clients, accountants, vendors, partners, and the like. Thus, an admin is granted immoderate access to reset the password for someone who could technically be outside the organization's sphere of verified domains. Entitling an admin to exert control over them might have significant security concerns, leading to the introduction of the new flow changes.
With the first one of the soon-to-come changes in place, the permission to reset someone's password will be restricted based on whether the domain is verified in Zoho One or not. Therefore, the admins cannot reset the password of any user whose email domain remains unverified. Once a user's domain is verified in a Zoho One organization, they can be regarded as a confirmed user of that organization and within the admin's scope of resetting their password.
Another change is the replacement of the option to
set any different password than the existing one with the easier method of
OTP verification. With this change, only an OTP is shared, and the account owner is allowed to reset their password on their own. The admin doesn't reserve the right to determine any user's password, thus averting even the slightest security issue possible.
Learn how to reset a user's password in Zoho One.
These changes are already in implementation by default for all new users who signed up after March 6 and also to potential newcomers henceforth. From June 4, this will be extended to old users too. Please be sure to have your users verified in your Zoho One organizations in order to avoid concerns as discussed earlier. Please note, any user can change their password at any time at
accounts.zoho.com.
Regards,
The Zoho One Team.