----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 24 January, 2014 2:16:21 PM
Subject: Re: [keycloak-dev] Password resetting
On 1/24/2014 8:38 AM, Stian Thorgersen wrote:
> To prevent hijacking the thread for planning what goes into the next
> release, I'll start this new thread on this subject.
>
> For clarification, at the moment what we have with password reset is :
>
> Users:
> * If realm allows it and user has registered email address they can click
> on the recover password option. They then insert their username and an
> email with a link is sent to them. This link will expire within a
> configurable time (default is 10 min I think). The link will open a form
> enabling the user to insert a new password.
>
> Admins:
> * Admins can set a new temporary password on a user account. This will add
> a flag that the user is required to reset the password on next login.
> Currently the admin could remove this required action though, as admins
> can add/remove required actions to an account
>
> Improvements to this flow would be good. It's not elegant that admin has to
> manually create tmp password, and somehow communicate this to the user.
> Also, as Bruno pointed out this would mean an admin could gain access to a
> users account. Any other concerns?
>
The improvement I want is an email with a URL that contains a temporary
token. User's acct status would be set to "update password", but they
would not have to enter in their password, just a new one.
We have this already don't we? In the realm settings enable "Rest password",
then open the login page, now there's link for "Forgot Username" and
"Forgot Password".
I think you're right in that we still need the option for the admin to
set up a temporary password.
> With regards to admins being able to send recover email, I'm not sure I see
> the point. Users can do this themselves if they want to. Also, the link in
> the email expires within a relatively short timeout, so it would quite
> likely be expired by the time a user reads it
>
> Stopping a compromised admin being able to access the account, I'm not sure
> that would be feasible. Even if an admin can't set a tmp password, they
> could for example change the email and get a recovery password email sent
> to themselves. I also think a compromised admin account would mean we're
> pretty screwed in any case, so is this really important?
>
> I don't understand how TOTP would work, can you explain.
TOTP could work same way as above. Send an email, user is temporarily
authenticated, but must reset totp key.
We have similar feature here. If TOTP is lost the admin would disable TOTP, then add a
required action to re-configure TOTP on next login.
In the future, I'd like to have a "World of Warcraft" option. I really
like the way they do it as hacked user accounts were really common prior
to 2-factor auth. To reset a password, you get an email. To reset TOTP
you get a text to your phone. So, if your email account gets hacked
(like mine was prior to enabling 2-factor auth), you're still safe.
Yes, we definitively needs more layers of defence. Would be great to have SMS/phone
options. We should also have options to enable password recovery questions (What's
your first car thing).
We can also enable support for OTP through email and sms
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev