alternate initial password transfer path

Discussion in 'Feature Requests' started by PeterPan, Mar 27, 2020.

  1. PeterPan

    PeterPan New Member

    Joined:
    Oct 17, 2019
    Messages:
    1
    Likes Received:
    0
    There is a possible security issue at the initial password token handling:
    Please prepare a second token transfer path.

    Issue:
    If the account hasn´t been created already, liquidfiles send the token e-mail to the receipient in a separate email. A hacker who can read this mail, can login to the liquidfiles account and steal informations.
    Is it possible to send the email with the token and the authentication link to the sender instead of the recipient?

    It makes sence to send the information via a second communication path like phone or whatever (sms is not an option for us).
     
  2. Johan

    Johan Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    37
    Likes Received:
    1
    Every single password reset function works this way by sending an email token to the account requesting the password reset. This is not likely to change.

    if you want stronger user account creation you can manually create accounts, including setting 2 factor authentication for the account before the account is created.
     

Share This Page