On 1/24/2014 8:38 AM, Stian Thorgersen wrote:
To prevent hijacking the thread for planning what goes into the next
release, I'll start this new thread on this subject.
For clarification, at the moment what we have with password reset is :
Users:
* If realm allows it and user has registered email address they can click on the recover
password option. They then insert their username and an email with a link is sent to them.
This link will expire within a configurable time (default is 10 min I think). The link
will open a form enabling the user to insert a new password.
Admins:
* Admins can set a new temporary password on a user account. This will add a flag that
the user is required to reset the password on next login. Currently the admin could remove
this required action though, as admins can add/remove required actions to an account
Improvements to this flow would be good. It's not elegant that admin has to manually
create tmp password, and somehow communicate this to the user. Also, as Bruno pointed out
this would mean an admin could gain access to a users account. Any other concerns?
The improvement I want is an email with a URL that contains a temporary
token. User's acct status would be set to "update password", but they
would not have to enter in their password, just a new one.
I think you're right in that we still need the option for the admin to
set up a temporary password.
With regards to admins being able to send recover email, I'm not
sure I see the point. Users can do this themselves if they want to. Also, the link in the
email expires within a relatively short timeout, so it would quite likely be expired by
the time a user reads it
Stopping a compromised admin being able to access the account, I'm not sure that
would be feasible. Even if an admin can't set a tmp password, they could for example
change the email and get a recovery password email sent to themselves. I also think a
compromised admin account would mean we're pretty screwed in any case, so is this
really important?
I don't understand how TOTP would work, can you explain.
TOTP could work same way as above. Send an email, user is temporarily
authenticated, but must reset totp key.
In the future, I'd like to have a "World of Warcraft" option. I really
like the way they do it as hacked user accounts were really common prior
to 2-factor auth. To reset a password, you get an email. To reset TOTP
you get a text to your phone. So, if your email account gets hacked
(like mine was prior to enabling 2-factor auth), you're still safe.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com