[keycloak-user] Security implications when having long login action timeout

Hi, we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX. It’s possible to do it via setting "Login action timeout” to 3 days. This setting also change the timeout of link for forgot password AFAIK. I’m thinking about security implications. Can somebody steal such link in e-mail somehow and then steal identity because of doing “forgot password” on target account? For example by listening SMTP protocol communication? Thanks, Libor Krzyžanek jboss.org Development Team