Menu
▾
▴
Re: [Unity-idm-discuss] One-time password reset url instead of code
|
From: Krzysztof B. <kb...@un...> - 2018-03-27 04:12:29
|
Dear Willem, W dniu 26.03.2018 o 14:34, Willem Elbers pisze: > Dear Krzysztof, > > When doing a password reset, users need to copy and paste a code from an > email to the password reset dialog. > If UnityIDM allows to send a 1-time URL instead this would be a nice and > user-friendly alternative. > > Would this be something you would consider implementing? This is a quite insecure way of resetting password. Everybody having read access to user mail (as any mail admin) can then easily overtake Unity account using that email (triggering sending of email code is easy). On the other hand this is (should be) a very infrequent operation so coping few characters shouldn't be too demanding. In the next version there will be a new feature allowing for even more secure password reset with use of mobile, however requiring retyping the code. So sorry, but I wouldn't go for it. Best, Krzysztof |
