How about for user / credential page we display the following
buttons:
* Send password reset - visible if user has email registered, should this be only for
verified email?)
* Set temporary password - opens a modal panel where admin can insert a password or have
one generated
* Remove totp - if realm requires totp user will be asked to re-config on next login,
otherwise user would have to go to acct mngmt to enable
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 24 January, 2014 3:29:19 PM
> Subject: Re: [keycloak-dev] Password resetting
>
>
>
> On 1/24/2014 9:33 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: keycloak-dev(a)lists.jboss.org
>>> Sent: Friday, 24 January, 2014 2:16:21 PM
>>> Subject: Re: [keycloak-dev] Password resetting
>>>
>>>
>>>
>>> On 1/24/2014 8:38 AM, Stian Thorgersen wrote:
>>>> To prevent hijacking the thread for planning what goes into the next
>>>> release, I'll start this new thread on this subject.
>>>>
>>>> For clarification, at the moment what we have with password reset is :
>>>>
>>>> Users:
>>>> * If realm allows it and user has registered email address they can
click
>>>> on the recover password option. They then insert their username and an
>>>> email with a link is sent to them. This link will expire within a
>>>> configurable time (default is 10 min I think). The link will open a form
>>>> enabling the user to insert a new password.
>>>>
>>>> Admins:
>>>> * Admins can set a new temporary password on a user account. This will
>>>> add
>>>> a flag that the user is required to reset the password on next login.
>>>> Currently the admin could remove this required action though, as admins
>>>> can add/remove required actions to an account
>>>>
>>>> Improvements to this flow would be good. It's not elegant that admin
has
>>>> to
>>>> manually create tmp password, and somehow communicate this to the user.
>>>> Also, as Bruno pointed out this would mean an admin could gain access to
>>>> a
>>>> users account. Any other concerns?
>>>>
>>>
>>> The improvement I want is an email with a URL that contains a temporary
>>> token. User's acct status would be set to "update password",
but they
>>> would not have to enter in their password, just a new one.
>>
>> We have this already don't we? In the realm settings enable "Rest
>> password", then open the login page, now there's link for "Forgot
>> Username" and "Forgot Password".
>>
>
> I mean a button in the admin console which will change the status of the
> user acct and also send an email to the user.
>
>
>>>
>>> I think you're right in that we still need the option for the admin to
>>> set up a temporary password.
>>>
>>>> With regards to admins being able to send recover email, I'm not sure
I
>>>> see
>>>> the point. Users can do this themselves if they want to. Also, the link
>>>> in
>>>> the email expires within a relatively short timeout, so it would quite
>>>> likely be expired by the time a user reads it
>>>>
>>>> Stopping a compromised admin being able to access the account, I'm
not
>>>> sure
>>>> that would be feasible. Even if an admin can't set a tmp password,
they
>>>> could for example change the email and get a recovery password email
sent
>>>> to themselves. I also think a compromised admin account would mean
we're
>>>> pretty screwed in any case, so is this really important?
>>>>
>>>> I don't understand how TOTP would work, can you explain.
>>>
>>> TOTP could work same way as above. Send an email, user is temporarily
>>> authenticated, but must reset totp key.
>>
>> We have similar feature here. If TOTP is lost the admin would disable TOTP,
>> then add a required action to re-configure TOTP on next login.
>>
>>>
>>> In the future, I'd like to have a "World of Warcraft" option.
I really
>>> like the way they do it as hacked user accounts were really common prior
>>> to 2-factor auth. To reset a password, you get an email. To reset TOTP
>>> you get a text to your phone. So, if your email account gets hacked
>>> (like mine was prior to enabling 2-factor auth), you're still safe.
>>
>> Yes, we definitively needs more layers of defence. Would be great to have
>> SMS/phone options. We should also have options to enable password recovery
>> questions (What's your first car thing).
>>
>> We can also enable support for OTP through email and sms
>>
>
> Yes. I forgot about user questions ("What's your first
car?")...that's
> something I've wanted to add too.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>