Protect Sensitive Attributes

If you configure user self-service, you must ensure that the user's email address and phone number cannot be changed without re-authentication. If you do not do this, an attacker that gains access to a user's session can change the user's email address and perform a password reset to gain full access to their account.

  • To protect sensitive self-service attributes globally, select Configure > Services > Global Services > User Self Service > Profile Management and add telephoneNumber and mail to the list of Protected User Attributes.

  • To protect sensitive self-service attributes at the realm level, select Realms > _Realm name_ > Services > User Self Service > Profile Management and add telephoneNumber and mail to the list of Protected User Attributes.

For more information, see "Profile Management"

Read a different version of :