Hi, I have started working on [1], which forces password reset for a user after a administrative password recovery action.
Based on the off-line discussion with Darshana, this flow can be as follows. 1. User, '*Bob*' forgets password and request administrative person for a password reset action 2. Admin person reset the password and provide a new password to *Bob* off-line 3. This can be performed using management console 4. When *Bob* tries to log-in with newly provided password, login page should prompt password reset UI to *Bob* 5. And without changing the password Bob cannot login to the system 6. There should be a way to distinguish *user password reset* vs. *admin password reset*. But additionally, there can be enhancements to this flow by sending an OTP in an email to the user, 'Bob' and enforcing password reset by directing to a provided link. What are your thoughts on this? [1] https://redmine.wso2.com/issues/5417 Thanks! -Ayesha -- *Ayesha Dissanayaka* Software Engineer, WSO2, Inc : http://wso2.com <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> 20, Palmgrove Avenue, Colombo 3 E-Mail: [email protected] <[email protected]>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
