Hi Johann, Thanks for the clarification.
On Mon, Feb 20, 2017 at 2:20 PM, Johann Nallathamby <joh...@wso2.com> wrote: > Password based authentication - yes. Since we take in a password that has > very low probability of being the same of another user within the domain > for the same claim identifier, we can actually allow authentication with > any claim - doesn't necessarily have to be unique. > So, we can choose some claim as the identifier for password based authentication at a time as a configuration in the User Portal. > However for recovery we must identify user uniquely and for that we need > to have a set of claims that identify the user uniquely within a domain. > Again can we use the attribute profile concept here? > Agreed that we use attribute profile based approach for username recovery. For password recovery do we need to follow that approach. Shouldn't this align with whatever the claim users use to authenticate to the system in password based authentication? for example, a system may choose to use email claim as login identifier. Then shouldn't we ask for the same identifier at password recovery of that system? In that case if we use a claim which is not unique, it will be hard to identify the user for password recovery. Thanks! -Ayesha -- *Ayesha Dissanayaka* Software Engineer, WSO2, Inc : http://wso2.com <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> 20, Palmgrove Avenue, Colombo 3 E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev