To prevent hijacking the thread for planning what goes into the next release, I'll
start this new thread on this subject.
For clarification, at the moment what we have with password reset is :
Users:
* If realm allows it and user has registered email address they can click on the recover
password option. They then insert their username and an email with a link is sent to them.
This link will expire within a configurable time (default is 10 min I think). The link
will open a form enabling the user to insert a new password.
Admins:
* Admins can set a new temporary password on a user account. This will add a flag that the
user is required to reset the password on next login. Currently the admin could remove
this required action though, as admins can add/remove required actions to an account
Improvements to this flow would be good. It's not elegant that admin has to manually
create tmp password, and somehow communicate this to the user. Also, as Bruno pointed out
this would mean an admin could gain access to a users account. Any other concerns?
With regards to admins being able to send recover email, I'm not sure I see the point.
Users can do this themselves if they want to. Also, the link in the email expires within a
relatively short timeout, so it would quite likely be expired by the time a user reads it
Stopping a compromised admin being able to access the account, I'm not sure that would
be feasible. Even if an admin can't set a tmp password, they could for example change
the email and get a recovery password email sent to themselves. I also think a compromised
admin account would mean we're pretty screwed in any case, so is this really
important?
I don't understand how TOTP would work, can you explain.