[keycloak-user] Security implications when having long login action timeout
Libor Krzyzanek
lkrzyzan at redhat.com
Tue Nov 10 10:55:56 EST 2015
Having such option makes sense for sure.
Jira issue: https://issues.jboss.org/browse/KEYCLOAK-2052 <https://issues.jboss.org/browse/KEYCLOAK-2052>
Thanks,
Libor Krzyžanek
jboss.org Development Team
> On Nov 10, 2015, at 3:27 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> 2-3 days for email verification seems OK to me, but I wouldn't do that for password resets. So I think you need to request a feature to be able to configure those independently.
>
> On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
> Hi,
> we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX.
> It’s possible to do it via setting "Login action timeout” to 3 days. This setting also change the timeout of link for forgot password AFAIK.
>
> I’m thinking about security implications.
>
> Can somebody steal such link in e-mail somehow and then steal identity because of doing “forgot password” on target account? For example by listening SMTP protocol communication?
>
> Thanks,
>
> Libor Krzyžanek
> jboss.org <http://jboss.org/> Development Team
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/12b2f24d/attachment.html
More information about the keycloak-user
mailing list