Repository: syncope Updated Branches: refs/heads/2_0_X 767c30307 -> a56ef7b1e refs/heads/master a70efed4c -> 2b775bb48
Adding warning about not reporting user's security answer Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a56ef7b1 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a56ef7b1 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a56ef7b1 Branch: refs/heads/2_0_X Commit: a56ef7b1e80a24b8a3d482d1e31dd0fbc71e22c4 Parents: 767c303 Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Fri Mar 3 08:24:12 2017 +0100 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Fri Mar 3 08:24:12 2017 +0100 ---------------------------------------------------------------------- .../reference-guide/concepts/usersgroupsandanyobjects.adoc | 9 +++++++++ 1 file changed, 9 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/a56ef7b1/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc index ba14de6..a9aa2f9 100644 --- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc +++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc @@ -111,6 +111,15 @@ The usage of security questions can be however disabled by setting the `password <<configuration-parameters, below>> for details. ==== +[[password-reset-no-security-answer]] +[WARNING] +==== +Once provided via Enduser UI, the answers to security questions are *never* reported, neither via REST or Admin UI to +administrators, nor to end-users via Enduser UI. + +This to avoid any information disclosure which can potentially lead attackers to reset other users' passwords. +==== + [NOTE] In addition to the password reset feature, administrators can set a flag on a given user so that he / she is forced to update their password value at next login.