[keycloak-dev] Password resetting

Stian Thorgersen stian at redhat.com
Fri Jan 24 09:33:04 EST 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 24 January, 2014 2:16:21 PM
> Subject: Re: [keycloak-dev] Password resetting
> 
> 
> 
> On 1/24/2014 8:38 AM, Stian Thorgersen wrote:
> > To prevent hijacking the thread for planning what goes into the next
> > release, I'll start this new thread on this subject.
> >
> > For clarification, at the moment what we have with password reset is :
> >
> > Users:
> > * If realm allows it and user has registered email address they can click
> > on the recover password option. They then insert their username and an
> > email with a link is sent to them. This link will expire within a
> > configurable time (default is 10 min I think). The link will open a form
> > enabling the user to insert a new password.
> >
> > Admins:
> > * Admins can set a new temporary password on a user account. This will add
> > a flag that the user is required to reset the password on next login.
> > Currently the admin could remove this required action though, as admins
> > can add/remove required actions to an account
> >
> > Improvements to this flow would be good. It's not elegant that admin has to
> > manually create tmp password, and somehow communicate this to the user.
> > Also, as Bruno pointed out this would mean an admin could gain access to a
> > users account. Any other concerns?
> >
> 
> The improvement I want is an email with a URL that contains a temporary
> token.  User's acct status would be set to "update password", but they
> would not have to enter in their password, just a new one.

We have this already don't we? In the realm settings enable "Rest password", then open the login page, now there's link for "Forgot Username" and "Forgot Password".

> 
> I think you're right in that we still need the option for the admin to
> set up a temporary password.
> 
> > With regards to admins being able to send recover email, I'm not sure I see
> > the point. Users can do this themselves if they want to. Also, the link in
> > the email expires within a relatively short timeout, so it would quite
> > likely be expired by the time a user reads it
> >
> > Stopping a compromised admin being able to access the account, I'm not sure
> > that would be feasible. Even if an admin can't set a tmp password, they
> > could for example change the email and get a recovery password email sent
> > to themselves. I also think a compromised admin account would mean we're
> > pretty screwed in any case, so is this really important?
> >
> > I don't understand how TOTP would work, can you explain.
> 
> TOTP could work same way as above.  Send an email, user is temporarily
> authenticated, but must reset totp key.

We have similar feature here. If TOTP is lost the admin would disable TOTP, then add a required action to re-configure TOTP on next login.

> 
> In the future, I'd like to have a "World of Warcraft" option.  I really
> like the way they do it as hacked user accounts were really common prior
> to 2-factor auth.  To reset a password, you get an email.  To reset TOTP
> you get a text to your phone.  So, if your email account gets hacked
> (like mine was prior to enabling 2-factor auth), you're still safe.

Yes, we definitively needs more layers of defence. Would be great to have SMS/phone options. We should also have options to enable password recovery questions (What's your first car thing).

We can also enable support for OTP through email and sms

> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list