Hi! Quick question. On the settings flow, when trying to change password, I’m seeing only the new password as a required parameter. Shouldn’t there be a validation where the user should also provide the current password?

Hi @User No, since we require you to have a session already (which means you have already proven your identity). Also you can set how long this session should be before Kratos would require the user to sign in again to validate their identity before allowing any profile updates. https://www.ory.sh/docs/kratos/self-service/flows/user-settings#updating-privileged-fields

Let’s say I am logged in my machine. I forget my machine unlocked. Someone with bad intention go the platform and changes my password. He can set a new password for my account without me even knowing it.

Yes, that is why this is configurable to your use case. e.g. 10 min? 5min? 2min?

Ah okay, so there is a special (privileged) session for changing password / email, apart from the session which keeps me logged in?

Yes there is, that is what the link to the docs show 🙂

So, if I’ve configured it to only allow 5mins to change privileged fields, the user can still be logged in for 2 hours? What would happen if he try to change a privileged field 5mins after he first log in?

Yes he can still be logged in for 2 hours, but to update his settings Kratos would request the user to log in again