-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.5.0, 6.0.0.6, 7.0.0
-
Component/s: documentation
-
Labels:
-
Environment:AM 6.x release notes
-
Sprint:AM 2019.6 - Lathe
-
Story Points:3
-
Needs backport:No
-
Support Ticket IDs:
-
Needs QA verification:No
-
Functional tests:No
-
Are the reproduction steps defined?:No (add reasons in the comment)
Bug description
The Password reset email token can no longer be reused multiple times. This may change the flow of customizations or applications that use this user self service feature.
How to reproduce the issue
- Checking release notes there is only a section on:
Forgotten Password Account Lockout Feature
AM 6 provides new properties to limit the number of attempts allowed at answering security questions (KBA), and to lock the account if exceeded. The properties are as follows:
- Enforce password reset lockout (forgotten.password.kba.number.of.allowed.attempts.enforced)
- Lock Out After number of attempts (forgotten.password.kba.number.of.allowed.attempts)
- There is no mention to this security improvement or change.
Expected behaviour
You would be able to click on the recovery password link multiple times and still recover your password
Current behaviour
The URL is only useable once, if you fail, you need to initiate receiving an email again.