[keycloak-dev] Password resetting

Bill Burke bburke at redhat.com
Fri Jan 24 11:13:02 EST 2014 

Sounds good.

On 1/24/2014 11:02 AM, Stian Thorgersen wrote:
> How about for user / credential page we display the following buttons:
>
> * Send password reset - visible if user has email registered, should this be only for verified email?)
> * Set temporary password - opens a modal panel where admin can insert a password or have one generated
> * Remove totp - if realm requires totp user will be asked to re-config on next login, otherwise user would have to go to acct mngmt to enable
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 24 January, 2014 3:29:19 PM
>> Subject: Re: [keycloak-dev] Password resetting
>>
>>
>>
>> On 1/24/2014 9:33 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Friday, 24 January, 2014 2:16:21 PM
>>>> Subject: Re: [keycloak-dev] Password resetting
>>>>
>>>>
>>>>
>>>> On 1/24/2014 8:38 AM, Stian Thorgersen wrote:
>>>>> To prevent hijacking the thread for planning what goes into the next
>>>>> release, I'll start this new thread on this subject.
>>>>>
>>>>> For clarification, at the moment what we have with password reset is :
>>>>>
>>>>> Users:
>>>>> * If realm allows it and user has registered email address they can click
>>>>> on the recover password option. They then insert their username and an
>>>>> email with a link is sent to them. This link will expire within a
>>>>> configurable time (default is 10 min I think). The link will open a form
>>>>> enabling the user to insert a new password.
>>>>>
>>>>> Admins:
>>>>> * Admins can set a new temporary password on a user account. This will
>>>>> add
>>>>> a flag that the user is required to reset the password on next login.
>>>>> Currently the admin could remove this required action though, as admins
>>>>> can add/remove required actions to an account
>>>>>
>>>>> Improvements to this flow would be good. It's not elegant that admin has
>>>>> to
>>>>> manually create tmp password, and somehow communicate this to the user.
>>>>> Also, as Bruno pointed out this would mean an admin could gain access to
>>>>> a
>>>>> users account. Any other concerns?
>>>>>
>>>>
>>>> The improvement I want is an email with a URL that contains a temporary
>>>> token.  User's acct status would be set to "update password", but they
>>>> would not have to enter in their password, just a new one.
>>>
>>> We have this already don't we? In the realm settings enable "Rest
>>> password", then open the login page, now there's link for "Forgot
>>> Username" and "Forgot Password".
>>>
>>
>> I mean a button in the admin console which will change the status of the
>> user acct and also send an email to the user.
>>
>>
>>>>
>>>> I think you're right in that we still need the option for the admin to
>>>> set up a temporary password.
>>>>
>>>>> With regards to admins being able to send recover email, I'm not sure I
>>>>> see
>>>>> the point. Users can do this themselves if they want to. Also, the link
>>>>> in
>>>>> the email expires within a relatively short timeout, so it would quite
>>>>> likely be expired by the time a user reads it
>>>>>
>>>>> Stopping a compromised admin being able to access the account, I'm not
>>>>> sure
>>>>> that would be feasible. Even if an admin can't set a tmp password, they
>>>>> could for example change the email and get a recovery password email sent
>>>>> to themselves. I also think a compromised admin account would mean we're
>>>>> pretty screwed in any case, so is this really important?
>>>>>
>>>>> I don't understand how TOTP would work, can you explain.
>>>>
>>>> TOTP could work same way as above.  Send an email, user is temporarily
>>>> authenticated, but must reset totp key.
>>>
>>> We have similar feature here. If TOTP is lost the admin would disable TOTP,
>>> then add a required action to re-configure TOTP on next login.
>>>
>>>>
>>>> In the future, I'd like to have a "World of Warcraft" option.  I really
>>>> like the way they do it as hacked user accounts were really common prior
>>>> to 2-factor auth.  To reset a password, you get an email.  To reset TOTP
>>>> you get a text to your phone.  So, if your email account gets hacked
>>>> (like mine was prior to enabling 2-factor auth), you're still safe.
>>>
>>> Yes, we definitively needs more layers of defence. Would be great to have
>>> SMS/phone options. We should also have options to enable password recovery
>>> questions (What's your first car thing).
>>>
>>> We can also enable support for OTP through email and sms
>>>
>>
>> Yes.  I forgot about user questions ("What's your first car?")...that's
>> something I've wanted to add too.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list