You're right. In order to update the secret key is necessary to specify the password too. You're not required to provide the exact password, given that it will be updated with what you provided. Regarding multiple tokens, we can easily support that changing the handler's logic. Would be nice a PR :). If you want to, I can work on something do those changes. ----- Original Message ----- From: "Bill Burke" <bburke(a)redhat.com&gt; To: security-dev(a)lists.jboss.org Sent: Tuesday, June 11, 2013 11:19:56 AM Subject: [security-dev] TOTPCredentails should not be associated with Password Right now, AFAICT, you cannot update the TOTP secret key without also knowing the password. I"d like to not have TOTP classes inherit from the corresponding Password classes. I can implement and provide a pull request if you agree. Another thing to think about down the road is that you may want to allow multiple tokens. Tokens generated by different devices owned by the user. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev

https://issues.jboss.org/browse/PLINK-187 https://issues.jboss.org/browse/PLINK-188 ----- Original Message ----- From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: security-dev(a)lists.jboss.org Sent: Tuesday, June 11, 2013 12:13:39 PM Subject: Re: [security-dev] TOTPCredentails should not be associated with Password And this is wrong behavior. Let's say I lost my iphone and need a new token. User shouldn't have to change their password as well. On 6/11/2013 11:03 AM, Pedro Igor Silva wrote: -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com