| Issue 1: | Changing password should not invalidate all tokens (optional) |
1 of 58
Next ›
|
| 1 person starred this issue and may be notified of changes. | Back to list |
It should be noted that users should be able to change their passwords with Service Providers without invalidating existing tokens. Password management can be separate from token management. |
|
,
Sep 17, 2007
I'd say "It's up to the service provider." In our case (banking site), invalidating all tokens might be right (I'm not sure, but I could imagine). Likewise for medical applications. |
|
,
Sep 17, 2007
Maybe best to let the user decide. But the password change form is a good place to remind the user of any permissions they gave out. |
|
 Sign in to add a comment
|
