[keycloak-user] Security implications when having long login action timeout
Marek Posolda
mposolda at redhat.com
Tue Nov 10 09:23:14 EST 2015
On 10/11/15 13:50, Libor Krzyzanek wrote:
> Hi,
> we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX.
> It’s possible to do it via setting "Login action timeout” to 3 days. This setting also change the timeout of link for forgot password AFAIK.
>
> I’m thinking about security implications.
>
> Can somebody steal such link in e-mail somehow and then steal identity because of doing “forgot password” on target account? For example by listening SMTP protocol communication?
AFAIK If you use TLS for SMTP protocol, the communication between
Keycloak and SMTP server should be encrypted and hence nobody should be
able to listen and get the content of message.
Another thing is the communication between SMTP server and POP3/IMAP
server. I think it depends on the security of the POP3/IMAP server, the
major vendors like GMail are likely using secure communication. But I
don't know at 100%...
Thing is that "Forgot password" link can be used just once, so user will
be able to recognize that somebody else clicked on the link instead of him.
Marek
>
> Thanks,
>
> Libor Krzyžanek
> jboss.org Development Team
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list