On Wed, Jan 18, 2017 at 11:12 PM, Ishara Karunarathna <[email protected]> wrote:
> Hi All, > > Though challenge question is not secure mechanism this is a basic stuff > client expect from an IAM solution. > And having another recovery mechanism with this can help to make it strong > as well. > > So I'm still doubt on dropping this. And if we are completely dropping > this. We should have first class support for other > recovery mechanisms and well documented on this. > That's the idea right? I was under the impression that we will at least have an email based recovery mechanism in place. If we're saying challenge questions are our primary mode of account recovery, that's not right IMO. AFAIS, challenge questions are 'good to have' and email recovery is 'must have'. > > -Ishara > > On Wed, Jan 18, 2017 at 6:21 PM, Danushka Fernando <[email protected]> > wrote: > >> If everyone had it in past and no longer using it, big +1 for removing >> it. Only concern is about existing customers. If we can explain the >> rationale behind removing it we are in clear I guess. >> >> @Sewmini >> Yes there is a reviewed user story for this. But when we discuss about >> some implementation details today, we realized that lot of people had this >> and removed this due to vulnerabilities in it. Hence Indunil started this >> discussion. >> >> Thanks & Regards >> Danushka Fernando >> Senior Software Engineer >> WSO2 inc. http://wso2.com/ >> Mobile : +94716332729 <+94%2071%20633%202729> >> >> >> >> On Jan 18, 2017 6:04 PM, "KasunG Gajasinghe" <[email protected]> wrote: >> >>> >>> Security questions are a thing of the past. Google, Facebook they all >>> have removed the security questions based password recovery mechanisms. [1] >>> [2] So, +1 to drop this support in IS 6. >>> >>> [1] http://googlesystem.blogspot.com/2014/12/google-drops-su >>> pport-for-security.html >>> [2] https://www.facebook.com/help/community/question/?id=815382261879187 >>> >>> On Wed, Jan 18, 2017 at 5:37 PM, Nuwan Dias <[email protected]> wrote: >>> >>>> >>>> >>>> On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> Currently we are working on implementing C5 user portal in IS. >>>>> Appreciate your suggestions/ideas for the following concerns regarding >>>>> challenge questions. >>>>> >>>>> *1) Is it necessary to include challenge questions in IS 6.0.0 as a >>>>> recovery option?* >>>>> Seems like secret questions are neither secure nor reliable enough to >>>>> be used as a account recovery mechanism. And also most of the vendors has >>>>> completely removed support for security questions including google. In C5, >>>>> security question sets will be some what strengthen the recovery and makes >>>>> it hard to guess the questions. But seems like need to consider whether it >>>>> need to be implemented or not. >>>>> >>>> >>>> I personally have never used a security question to recover any of the >>>> accounts of which I forgot passwords. Its always a recovery through email >>>> or mobile. Therefore I don't see this as a valuable feature. >>>> >>>>> >>>>> *2) Is it necessary to include security questions in user self >>>>> sign-up page? If needed, following way is appropriate?* >>>>> As we have planned, in C5, admin can create several security question >>>>> sets and can configure the minimum number of questions that need to be >>>>> answered by a user. So that in self sign up UI when populating security >>>>> questions to a user, >>>>> >>>>> - security questions need to be categorized according to the >>>>> security question sets >>>>> - all the sets need to be populated for the user >>>>> - user can select any number of security questions from different >>>>> sets not from a same set >>>>> - need to validate whether the user has answered for the minimum >>>>> number of questions >>>>> >>>>> When an answer to a question is personal, the question itself is >>>> probably personal too. Therefore I don't think an admin can decide on what >>>> questions to be asked from you. Its unlikely you'll remember an answer to a >>>> question which is not very relevant to you. If we're doing this (I'm >>>> negative on implementing the feature itself too :)), I think we should let >>>> the user decide his own questions and answers. >>>> >>>> >>>>> Appreciate your ideas on this. >>>>> >>>>> Thanks and Regards >>>>> -- >>>>> Indunil Upeksha Rathnayake >>>>> Software Engineer | WSO2 Inc >>>>> Email [email protected] >>>>> Mobile 0772182255 <077%20218%202255> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Software Architect - WSO2, Inc. http://wso2.com >>>> email : [email protected] >>>> Phone : +94 777 775 729 <077%20777%205729> >>>> >>> >>> >>> >>> -- >>> >>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>> email: kasung AT spamfree wso2.com >>> linked-in: http://lk.linkedin.com/in/gajasinghe >>> blog: http://kasunbg.org >>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 >>> >>> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: > +94717996791 <+94%2071%20799%206791> > > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
