Hi after looking over documentation it seems that kratos all Ory Community #talk-kratos

Hi, after looking over documentation, it seems tha...

bitter-arm-6486

01/07/2022, 4:41 PM

Hi, after looking over documentation, it seems that kratos allows users to update password without first confirming their existing one. Is this something on the roadmap? This can be a security concern (anyone logged in can update user password, say on a shared computer). Most account providers require the old password, right?

quick-apartment-80558

01/07/2022, 4:42 PM

Hi! Do you mean email address? I mean... That would also be something odd

bitter-arm-6486

01/07/2022, 4:43 PM

Hi, no, the update password feature:

bitter-arm-6486

01/07/2022, 4:43 PM

Currently, if the user is logged in, they are free to update the password immediately without further verification

bitter-arm-6486

01/07/2022, 4:44 PM

Expected behaviour (or at least optional for devs to implement):

quick-apartment-80558

01/07/2022, 4:44 PM

This is from an example UI and / or app. Right?

bitter-arm-6486

01/07/2022, 4:45 PM

This is from the ory kratos documentation

bitter-arm-6486

01/07/2022, 4:45 PM

https://www.ory.sh/kratos/docs/self-service/flows/user-settings/

quick-apartment-80558

01/07/2022, 4:49 PM

The documentation in that particular regard is aimed to illustrate and shouldn't necessarily be taken as a boilerplate... production implementation would require some tweaks for devs as you rightly mentioned

bitter-arm-6486

01/07/2022, 4:50 PM

Yea, I just didn't see any recommended method to perform this user password verification step, outside of the profile update. As far as I know other than logging in there's no separate password verification endpoint

proud-plumber-24205

01/07/2022, 4:51 PM

Remember that the settings flow has a setting called

privileged_session_max_age

https://www.ory.sh/kratos/docs/self-service/flows/user-settings#updating-privileged-fields setting this to a value such as 15m would mean that the user would need to first verify themselves before updating their password once the session is older than 15 minutes.

proud-plumber-24205

01/07/2022, 4:55 PM

As far as I know other than logging in there's no separate password verification endpoint

No, logging in is the password verification 🙂 and with setting

privileged_session_max_age

to a value that's acceptable in your use case, would be secure enough. Example: The user logged in and has a full 15 minutes to update their password. Once this time-frame has expired, the user is required to

verify

themselves again with a login flow. This is enough to prevent someone else from updating their information.

bitter-arm-6486

01/07/2022, 4:55 PM

I see, ok

bitter-arm-6486

01/07/2022, 4:56 PM

Setting this time works fine, thanks. However, I think it may still be worthwhile considering the instantaneous check at moment of change, since that seems to be fairly standard across all account managers

bitter-arm-6486

01/07/2022, 4:57 PM

This time only reduces the window for risk of unauthorized change

proud-plumber-24205

01/07/2022, 4:58 PM

Alright, then I would suggest to please open an issue so that we can keep track of it and discuss it there 🙂

👍 1

bitter-arm-6486

01/07/2022, 4:58 PM

Will do

bitter-arm-6486

01/07/2022, 4:58 PM

Thanks

2 Views

Open in Slack

Previous Next