<p dir="ltr">Not if you have to click the link in the email for it to be unlocked ?</p>
<br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2016-07-26, Joakim Löfgren wrote:<br>
> Hey,<br>
><br>
> I noticed that if you get your account temporarily locked due to the brute<br>
> force detection then you cannot reset your password until the temporary<br>
> locked has been lifted.<br>
><br>
> Is this behaviour intended ?<br>
<br>
>From what I can tell, this is how it works today and that's intentional.<br>
I think that in order to enable password reset for blocked accounts,<br>
rate limiting for password reset should be introduced, otherwise, an<br>
attacker could try it again.<br>
<br>
><br>
> We've gotten a few users that become confused when they do not receive a<br>
> reset password email, and thus contact us asking for help.<br>
><br>
><br>
> Sincerely,<br>
> Joakim<br>
<br>
> _______________________________________________<br>
> keycloak-dev mailing list<br>
> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
<br>
<br>
--<br>
<br>
abstractj<br>
PGP: 0x84DC9914<br>
</blockquote></div>