On Wed, Jan 18, 2017 at 11:17 PM, Nuwan Dias <[email protected]> wrote:
> > > On Wed, Jan 18, 2017 at 11:12 PM, Ishara Karunarathna <[email protected]> > wrote: > >> Hi All, >> >> Though challenge question is not secure mechanism this is a basic stuff >> client expect from an IAM solution. >> And having another recovery mechanism with this can help to make it >> strong as well. >> >> So I'm still doubt on dropping this. And if we are completely dropping >> this. We should have first class support for other >> recovery mechanisms and well documented on this. >> > > That's the idea right? I was under the impression that we will at least > have an email based recovery mechanism in place. If we're saying challenge > questions are our primary mode of account recovery, that's not right IMO. > AFAIS, challenge questions are 'good to have' and email recovery is 'must > have'. > Yes challenge question should not be a primary mechanism. But still its better to be available in the product. > >> -Ishara >> >> On Wed, Jan 18, 2017 at 6:21 PM, Danushka Fernando <[email protected]> >> wrote: >> >>> If everyone had it in past and no longer using it, big +1 for removing >>> it. Only concern is about existing customers. If we can explain the >>> rationale behind removing it we are in clear I guess. >>> >>> @Sewmini >>> Yes there is a reviewed user story for this. But when we discuss about >>> some implementation details today, we realized that lot of people had this >>> and removed this due to vulnerabilities in it. Hence Indunil started this >>> discussion. >>> >>> Thanks & Regards >>> Danushka Fernando >>> Senior Software Engineer >>> WSO2 inc. http://wso2.com/ >>> Mobile : +94716332729 <+94%2071%20633%202729> >>> >>> >>> >>> On Jan 18, 2017 6:04 PM, "KasunG Gajasinghe" <[email protected]> wrote: >>> >>>> >>>> Security questions are a thing of the past. Google, Facebook they all >>>> have removed the security questions based password recovery mechanisms. [1] >>>> [2] So, +1 to drop this support in IS 6. >>>> >>>> [1] http://googlesystem.blogspot.com/2014/12/google-drops-su >>>> pport-for-security.html >>>> [2] https://www.facebook.com/help/community/question/?id=815 >>>> 382261879187 >>>> >>>> On Wed, Jan 18, 2017 at 5:37 PM, Nuwan Dias <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Currently we are working on implementing C5 user portal in IS. >>>>>> Appreciate your suggestions/ideas for the following concerns regarding >>>>>> challenge questions. >>>>>> >>>>>> *1) Is it necessary to include challenge questions in IS 6.0.0 as a >>>>>> recovery option?* >>>>>> Seems like secret questions are neither secure nor reliable enough to >>>>>> be used as a account recovery mechanism. And also most of the vendors has >>>>>> completely removed support for security questions including google. In >>>>>> C5, >>>>>> security question sets will be some what strengthen the recovery and >>>>>> makes >>>>>> it hard to guess the questions. But seems like need to consider whether >>>>>> it >>>>>> need to be implemented or not. >>>>>> >>>>> >>>>> I personally have never used a security question to recover any of the >>>>> accounts of which I forgot passwords. Its always a recovery through email >>>>> or mobile. Therefore I don't see this as a valuable feature. >>>>> >>>>>> >>>>>> *2) Is it necessary to include security questions in user self >>>>>> sign-up page? If needed, following way is appropriate?* >>>>>> As we have planned, in C5, admin can create several security question >>>>>> sets and can configure the minimum number of questions that need to be >>>>>> answered by a user. So that in self sign up UI when populating security >>>>>> questions to a user, >>>>>> >>>>>> - security questions need to be categorized according to the >>>>>> security question sets >>>>>> - all the sets need to be populated for the user >>>>>> - user can select any number of security questions from different >>>>>> sets not from a same set >>>>>> - need to validate whether the user has answered for the minimum >>>>>> number of questions >>>>>> >>>>>> When an answer to a question is personal, the question itself is >>>>> probably personal too. Therefore I don't think an admin can decide on what >>>>> questions to be asked from you. Its unlikely you'll remember an answer to >>>>> a >>>>> question which is not very relevant to you. If we're doing this (I'm >>>>> negative on implementing the feature itself too :)), I think we should let >>>>> the user decide his own questions and answers. >>>>> >>>>> >>>>>> Appreciate your ideas on this. >>>>>> >>>>>> Thanks and Regards >>>>>> -- >>>>>> Indunil Upeksha Rathnayake >>>>>> Software Engineer | WSO2 Inc >>>>>> Email [email protected] >>>>>> Mobile 0772182255 <077%20218%202255> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>> email : [email protected] >>>>> Phone : +94 777 775 729 <077%20777%205729> >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>> email: kasung AT spamfree wso2.com >>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>> blog: http://kasunbg.org >>>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 >>>> >>>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 <+94%2077%20777%205729> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
