On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < [email protected]> wrote:
> Hi, > > Currently we are working on implementing C5 user portal in IS. Appreciate > your suggestions/ideas for the following concerns regarding challenge > questions. > > *1) Is it necessary to include challenge questions in IS 6.0.0 as a > recovery option?* > Seems like secret questions are neither secure nor reliable enough to be > used as a account recovery mechanism. And also most of the vendors has > completely removed support for security questions including google. In C5, > security question sets will be some what strengthen the recovery and makes > it hard to guess the questions. But seems like need to consider whether it > need to be implemented or not. > If challenge questions are unlikely to me used in a real deployment due to security vulanarabilities, I think we should not implement it. Specially consideraing the effort to implement the feature. (e.g. Chanllange questions presentation flow, internationalization). > > *2) Is it necessary to include security questions in user self sign-up > page? If needed, following way is appropriate?* > As we have planned, in C5, admin can create several security question sets > and can configure the minimum number of questions that need to be answered > by a user. So that in self sign up UI when populating security questions to > a user, > > - security questions need to be categorized according to the security > question sets > - all the sets need to be populated for the user > - user can select any number of security questions from different sets > not from a same set > - need to validate whether the user has answered for the minimum > number of questions > > Appreciate your ideas on this. > > Thanks and Regards > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Email [email protected] > Mobile 0772182255 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94775615183
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
