How long is the password token that is sent from the ‘password forgot’ function valid? And is there a place where you can have influence on that?
Best answer by Roel
View original
This topic has been closed for comments
Userlevel 4
+1
Hello,
Password reset tokens and 2FA tokens that are sent by email are valid for roughly 9 minutes. 2FA tokens that use TOTP are valid for roughly 90 seconds.
Indicium uses the ASP.NET Core Identity framework for user management and authentication and these values are determined by Microsoft and hardcoded into the token providers that are used by default (by email, by totp). As it is, these are not configurable for us and we feel that it would be unwise to deviate from these token providers. In general it's not a very good idea to increase the lifetime of these tokens by a lot for security reasons.
Is there a specific problem you are running into regarding the lifetime of the tokens?
Kind Regards,
Roel
- edited
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.