Security questions are a thing of the past. Google, Facebook they all have removed the security questions based password recovery mechanisms. [1] [2] So, +1 to drop this support in IS 6.
[1] http://googlesystem.blogspot.com/2014/12/google-drops-support-for-security.html [2] https://www.facebook.com/help/community/question/?id=815382261879187 On Wed, Jan 18, 2017 at 5:37 PM, Nuwan Dias <[email protected]> wrote: > > > On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < > [email protected]> wrote: > >> Hi, >> >> Currently we are working on implementing C5 user portal in IS. Appreciate >> your suggestions/ideas for the following concerns regarding challenge >> questions. >> >> *1) Is it necessary to include challenge questions in IS 6.0.0 as a >> recovery option?* >> Seems like secret questions are neither secure nor reliable enough to be >> used as a account recovery mechanism. And also most of the vendors has >> completely removed support for security questions including google. In C5, >> security question sets will be some what strengthen the recovery and makes >> it hard to guess the questions. But seems like need to consider whether it >> need to be implemented or not. >> > > I personally have never used a security question to recover any of the > accounts of which I forgot passwords. Its always a recovery through email > or mobile. Therefore I don't see this as a valuable feature. > >> >> *2) Is it necessary to include security questions in user self sign-up >> page? If needed, following way is appropriate?* >> As we have planned, in C5, admin can create several security question >> sets and can configure the minimum number of questions that need to be >> answered by a user. So that in self sign up UI when populating security >> questions to a user, >> >> - security questions need to be categorized according to the security >> question sets >> - all the sets need to be populated for the user >> - user can select any number of security questions from different >> sets not from a same set >> - need to validate whether the user has answered for the minimum >> number of questions >> >> When an answer to a question is personal, the question itself is probably > personal too. Therefore I don't think an admin can decide on what questions > to be asked from you. Its unlikely you'll remember an answer to a question > which is not very relevant to you. If we're doing this (I'm negative on > implementing the feature itself too :)), I think we should let the user > decide his own questions and answers. > > >> Appreciate your ideas on this. >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Email [email protected] >> Mobile 0772182255 <077%20218%202255> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 <077%20777%205729> > -- *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. email: kasung AT spamfree wso2.com linked-in: http://lk.linkedin.com/in/gajasinghe blog: http://kasunbg.org phone: +1 650-745-4499, 77 678 0813
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
