[keycloak-dev] Password resetting

Bill Burke bburke at redhat.com
Fri Jan 24 09:16:21 EST 2014 


On 1/24/2014 8:38 AM, Stian Thorgersen wrote:
> To prevent hijacking the thread for planning what goes into the next release, I'll start this new thread on this subject.
>
> For clarification, at the moment what we have with password reset is :
>
> Users:
> * If realm allows it and user has registered email address they can click on the recover password option. They then insert their username and an email with a link is sent to them. This link will expire within a configurable time (default is 10 min I think). The link will open a form enabling the user to insert a new password.
>
> Admins:
> * Admins can set a new temporary password on a user account. This will add a flag that the user is required to reset the password on next login. Currently the admin could remove this required action though, as admins can add/remove required actions to an account
>
> Improvements to this flow would be good. It's not elegant that admin has to manually create tmp password, and somehow communicate this to the user. Also, as Bruno pointed out this would mean an admin could gain access to a users account. Any other concerns?
>

The improvement I want is an email with a URL that contains a temporary 
token.  User's acct status would be set to "update password", but they 
would not have to enter in their password, just a new one.

I think you're right in that we still need the option for the admin to 
set up a temporary password.

> With regards to admins being able to send recover email, I'm not sure I see the point. Users can do this themselves if they want to. Also, the link in the email expires within a relatively short timeout, so it would quite likely be expired by the time a user reads it
>
> Stopping a compromised admin being able to access the account, I'm not sure that would be feasible. Even if an admin can't set a tmp password, they could for example change the email and get a recovery password email sent to themselves. I also think a compromised admin account would mean we're pretty screwed in any case, so is this really important?
>
> I don't understand how TOTP would work, can you explain.

TOTP could work same way as above.  Send an email, user is temporarily 
authenticated, but must reset totp key.

In the future, I'd like to have a "World of Warcraft" option.  I really 
like the way they do it as hacked user accounts were really common prior 
to 2-factor auth.  To reset a password, you get an email.  To reset TOTP 
you get a text to your phone.  So, if your email account gets hacked 
(like mine was prior to enabling 2-factor auth), you're still safe.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list