Re: [keycloak-dev] priorities and who is available?

Good morning Stian, on AeroGear we had a discussion about how to properly reset passwords and we have too much to improve, but here comes my 2 cents. -- abstractj On January 24, 2014 at 8:03:08 AM, Stian Thorgersen (stian(a)redhat.com) wrote: >> Some comments in-line as well. > > ----- Original Message ----- > > I assume you're only talking about when an admin resets the password > on-behalf of the user? > > It should be simple enough to add a button to let an admin send a > password reset link to a user as we already have that functionality > for the user themselves. It's that what you want? We still need > the option of being able to set a temp password in case the user > doesn't have a email registered (or emails can't be used for whatever > reason). What concerns me about this approach is the fact that once the admin account is compromised, is possible to reset everyone’s account even if you don’t have access do the database. If users doesn’t have e-mail registered, maybe we could evaluate another confirmation method? Maybe TOTP? _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev