From 1956f1a916d5fbb512c834740e9e5cb0a027e6e9 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 5 Jun 2019 12:59:58 +0100 Subject: [PATCH] Revert "Remove attacker bit" This reverts commit c9711acbc5fe231e67c2dbfe15a8c795219a25d5. --- proposals/2078-homeserver-password-resets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/2078-homeserver-password-resets.md b/proposals/2078-homeserver-password-resets.md index 8ef560e9a..f1c5928a5 100644 --- a/proposals/2078-homeserver-password-resets.md +++ b/proposals/2078-homeserver-password-resets.md @@ -1,6 +1,6 @@ # MSC2078 - Sending Password Reset Emails via the Homeserver -This MSC proposes removing the current requirement of the identity server to send password reset tokens, and allows homeservers to implement the functionality instead. The intention is to put less trust in the identity server which is currently one of the most centralised components of Matrix. +This MSC proposes removing the current requirement of the identity server to send password reset tokens, and allows homeservers to implement the functionality instead. The intention is to put less trust in the identity server which is currently one of the most centralised components of Matrix. As it stands, an attacker in control of a identity server can reset a user's password if that user has registered a third-party identifier (3PID) with that identity server, due to itself also handling the job of confirming the user's control of that identity. The MSC aims to simply clarify that homeservers can take on the responisibility of sending password reset tokens themselves.