Re: [keycloak-user] Security implications when having long login action timeout
2-3 days for email verification seems OK to me, but I wouldn't do that for
password resets. So I think you need to request a feature to be able to
configure those independently.
On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan(a)redhat.com> wrote:
Hi,
we got requirement to have long timeout e.g. 2 - 3 days on links for
e-mail verification during registration for better UX.
It’s possible to do it via setting "Login action timeout” to 3 days. This
setting also change the timeout of link for forgot password AFAIK.
I’m thinking about security implications.
Can somebody steal such link in e-mail somehow and then steal identity
because of doing “forgot password” on target account? For example by
listening SMTP protocol communication?
Thanks,
Libor Krzyžanek
jboss.org Development Team
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
Attachments:
- attachment.html (text/html — 1.5 KB)