updateCredential doesn't update the old one, it creates a new one. The only reason this works is because the password handler query for the most current credential. (Same as TOTP). This will be a storage leak over time as passwords are reset and tokens added/created. https://issues.jboss.org/browse/PLINK-238 -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com