[keycloak-user] Security implications when having long login action timeout

Stian Thorgersen sthorger at redhat.com
Tue Nov 10 09:27:26 EST 2015


2-3 days for email verification seems OK to me, but I wouldn't do that for
password resets. So I think you need to request a feature to be able to
configure those independently.

On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:

> Hi,
> we got requirement to have long timeout e.g. 2 - 3 days on links for
> e-mail verification during registration for better UX.
> It’s possible to do it via setting "Login action timeout” to 3 days. This
> setting also change the timeout of link for forgot password AFAIK.
>
> I’m thinking about security implications.
>
> Can somebody steal such link in e-mail somehow and then steal identity
> because of doing “forgot password” on target account? For example by
> listening SMTP protocol communication?
>
> Thanks,
>
> Libor Krzyžanek
> jboss.org Development Team
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/5a581f65/attachment.html 


More information about the keycloak-user mailing list