Adding warning about not reporting user's security answer
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/2b775bb4 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/2b775bb4 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/2b775bb4 Branch: refs/heads/master Commit: 2b775bb48d73d6ce4c4042ee2e5568164ffe62ee Parents: a70efed Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Fri Mar 3 08:24:12 2017 +0100 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Fri Mar 3 08:24:32 2017 +0100 ---------------------------------------------------------------------- .../reference-guide/concepts/usersgroupsandanyobjects.adoc | 9 +++++++++ 1 file changed, 9 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/2b775bb4/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc index ba14de6..a9aa2f9 100644 --- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc +++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc @@ -111,6 +111,15 @@ The usage of security questions can be however disabled by setting the `password <<configuration-parameters, below>> for details. ==== +[[password-reset-no-security-answer]] +[WARNING] +==== +Once provided via Enduser UI, the answers to security questions are *never* reported, neither via REST or Admin UI to +administrators, nor to end-users via Enduser UI. + +This to avoid any information disclosure which can potentially lead attackers to reset other users' passwords. +==== + [NOTE] In addition to the password reset feature, administrators can set a flag on a given user so that he / she is forced to update their password value at next login.