Not if you have to click the link in the email for it to be unlocked ?
On 2016-07-26, Joakim Löfgren wrote:
> Hey,
>
> I noticed that if you get your account temporarily locked due to the brute
> force detection then you cannot reset your password until the temporary
> locked has been lifted.
>
> Is this behaviour intended ?
>From what I can tell, this is how it works today and that's intentional.
I think that in order to enable password reset for blocked accounts,
rate limiting for password reset should be introduced, otherwise, an
attacker could try it again.
>
> We've gotten a few users that become confused when they do not receive a
> reset password email, and thus contact us asking for help.
>
>
> Sincerely,
> Joakim
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914