<p dir="ltr">Well everything can be automated, yes.</p>
<p dir="ltr">I'll explain in more detail.</p>
<p dir="ltr">1. Hacker or myself fails to login 3 times<br>
2. Brute force detection temporarily disables my account<br>
3. I enter my email in the reset password form and submit.<br>
4. An email lands in my inbox<br>
5. Account is still temporarily disabled<br>
6. I prove my identity (or at least access to the email account) and click the reset link in the email<br>
7. Account is unlocked and I get a login session and prompted to update my password</p>
<p dir="ltr">This prevents someone from continuously trying to hack my account and thus keeping me locked out of my account.</p>
<p dir="ltr">It also provides a better experience for someone who has just forgotten his or her password and attempts to login a few too many times.</p>
<p dir="ltr">Just waiting for the account to unlock so the password reset works again isn't more secure in my mind. Just more tedious.</p>
<p dir="ltr">Thoughts?</p>
<br><div class="gmail_quote"><div dir="ltr">On Wed, Jul 27, 2016, 14:16 Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2016-07-27, Joakim Löfgren wrote:<br>
> Not if you have to click the link in the email for it to be unlocked ?<br>
<br>
You know that can be easily automated, right?<br>
<br>
><br>
> On Tue, Jul 26, 2016, 13:34 Bruno Oliveira <<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>> wrote:<br>
><br>
> > On 2016-07-26, Joakim Löfgren wrote:<br>
> > > Hey,<br>
> > ><br>
> > > I noticed that if you get your account temporarily locked due to the<br>
> > brute<br>
> > > force detection then you cannot reset your password until the temporary<br>
> > > locked has been lifted.<br>
> > ><br>
> > > Is this behaviour intended ?<br>
> ><br>
> > From what I can tell, this is how it works today and that's intentional.<br>
> > I think that in order to enable password reset for blocked accounts,<br>
> > rate limiting for password reset should be introduced, otherwise, an<br>
> > attacker could try it again.<br>
> ><br>
> > ><br>
> > > We've gotten a few users that become confused when they do not receive a<br>
> > > reset password email, and thus contact us asking for help.<br>
> > ><br>
> > ><br>
> > > Sincerely,<br>
> > > Joakim<br>
> ><br>
> > > _______________________________________________<br>
> > > keycloak-dev mailing list<br>
> > > <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
> ><br>
> ><br>
> > --<br>
> ><br>
> > abstractj<br>
> > PGP: 0x84DC9914<br>
> ><br>
<br>
--<br>
<br>
abstractj<br>
PGP: 0x84DC9914<br>
</blockquote></div>