[keycloak-dev] priorities and who is available?
Bruno Oliveira
bruno at abstractj.org
Fri Jan 24 07:50:35 EST 2014
Good morning Stian, on AeroGear we had a discussion about how to properly reset passwords and we have too much to improve, but here comes my 2 cents.
--
abstractj
On January 24, 2014 at 8:03:08 AM, Stian Thorgersen (stian at redhat.com) wrote:
> > Some comments in-line as well.
>
> ----- Original Message -----
>
> I assume you're only talking about when an admin resets the password
> on-behalf of the user?
>
> It should be simple enough to add a button to let an admin send a
> password reset link to a user as we already have that functionality
> for the user themselves. It's that what you want? We still need
> the option of being able to set a temp password in case the user
> doesn't have a email registered (or emails can't be used for whatever
> reason).
What concerns me about this approach is the fact that once the admin account is compromised, is possible to reset everyone’s account even if you don’t have access do the database. If users doesn’t have e-mail registered, maybe we could evaluate another confirmation method? Maybe TOTP?
More information about the keycloak-dev
mailing list