Hi Naor, as allways it depends on what you want to achieve and how old your systems are.
Current systems can log the authentication method in Security Audit Trace so that you can trace and evaluate each and every logon event.
What I find more practical and less time consuming to evaluate is simply to use parameters for smooth transition:
- login/password_max_idle_initial = 2 means initial password get fully invalid after 2 days
- login/password_max_idle_productive = 180 (we use 2x login/password_expiration_time) means a user has 90 days to change his password after it expired then it will get fully invalid
- login/password_change_for_SSO = 0 means user is not prompted for changing expired passwords during SSO logon
So we let those parameters do their work. And in case users don't use their password their password will get fully invalid and this situation is quite comparable to a deactivated password.
To get an overview how this develops over time we once in a while use RSUSR200.
We find people like this example whose initial password was set in 2010 and never used but he obviously logs on regularly so he obviously uses nothing but SSO to authenticate:
So we could set his password to deactivated to make the situation clearer but we don't think it's necessary.
So if you need precise information on who logged on with which authenticatin method go for Security Audit Log (and update your system if necessary to get this functionality).
If this is more about gettig an overview over how transition to SSO is progressing, just let passwords get invalid and start RSUSR200 once in a while.
Regards,
Lutz