Hi, The actual requirement of this feature is that, administrators should be able to enforce a password reset action for users before authenticating to the system. [1] Explains the similar feature in IS-5.3.0.
Most of the confusions arises by calling this pass-code a OTP. Rather AFAIK this is an admin generated passcode, not a password that a user can use to authenticate to the system. Once an admin initiate this flow for a particular user, then when someone tries to login to system with accounts current password, he isn't get authenticated, instead asked to provide the passcode. When user provide the correct passcode, he will be asked to reset the password. Without resetting the password he cannot continue to login to the system. On Thu, Mar 16, 2017 at 9:31 AM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Why should we allow multiple OTPs for a particular user at a given time ? > Cannot we keep only one valid OTP for a user at a given time and override > it at the point of creating a new one ? +1. Lets keep only one valid OTP. How do you plan to access the content in this table from the authentication > flow. > > What I wanted to point is, this OTP is another credential for the user. So > we should store in a "credential store" which is introduced with new user > core. > It's clear this can be use only one time but what is the scope of this OTP > ? is this can only be used to login to user-portal or can this OTP use in > any other purposes ( an example, say login to generate SAML token in a SSO > story) > Actually in this implementation we have not considered this as a password. Though we used the word OTP it is kind of a code. By using this code the user can create a new password but can not login to any portal or can not perform any task of IS. So this is not actually a credential for the user. +1 In some cases identity admin need to set validity period on OTP so IMO we > need to support time based validity. > > I too have the same concern. What is the idea behind allowing multiple > OTPs at any point of time? Isn't the usual practice to keep only the latest > OTP active? > +1. Lets add a time based validity period. Already time based code expiration is there for recovery table entries. On Thu, Mar 16, 2017 at 10:17 AM, Gayan Gunawardana <ga...@wso2.com> wrote: > Due to some network issue or mail server issue if user doesn't receive > second OTP in that case user experience is not so good. I do not see a > problem of having multiple valid OTPs at a given time. What need to be done > is all should be invalidated if user consume at least one. In this case user should be given the option to re-recieve a new code. (ex: Maybe a message to contact an admin to do so, or direct to self served portal.) Thanks! -Ayesha -- *Ayesha Dissanayaka* Senior Software Engineer, WSO2, Inc : http://wso2.com <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> 20, Palm grove Avenue, Colombo 3 E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture