Re: [keycloak-dev] Brute force lock out and password reset error
On 2016-07-26, Joakim Löfgren wrote:
Hey,
I noticed that if you get your account temporarily locked due to the brute
force detection then you cannot reset your password until the temporary
locked has been lifted.
Is this behaviour intended ?
From what I can tell, this is how it works today and that's
intentional.
I think that in order to enable password reset for blocked accounts,
rate limiting for password reset should be introduced, otherwise, an
attacker could try it again.
We've gotten a few users that become confused when they do not receive a
reset password email, and thus contact us asking for help.
Sincerely,
Joakim
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914