Today we're releasing some minor changes that basically affect the password reset operation. Aside from correcting some bugs and making it more secure, the main change is produced when the user has two-factor authentication enabled.
Before this release, when a user that had two-factor authentication enabled requested a password reset and correctly reseted it, she also had two-factor authentication disabled. We thought this was a practical way to disable 2FA in case the user lost her smartphone or something else happened. The truth is, though, that this is a bit unsafe. If someone had access to the user email (even for a few moments), this was an easy way to gain access to Team Password Manager. We've made it more secure by requiring the user to enter the authentication code to be able a password reset and also by not disabling 2FA.
Now if a user needs to disable 2FA (and she's not logged in) she must contact an admin user. In the case that the user is an admin user, instructions are provided in the 2FA doc for admins for disabling 2FA.
We've updated the corresponding 2FA documents to explain this:
- Two-Factor Authentication in Team Password Manager (doc for Admins)
- How to enable Two-Factor Authentication for a user (doc for users)
This release also introduces trial licenses. Trial licenses allow you to test Team Password Manager with all the users you need and with unlimited projects, like if you had a normal license. Trial licenses expire in 30 days.