Hi Rushmin, On Thu, Jan 19, 2017 at 9:48 AM, Rushmin Fernando <[email protected]> wrote:
> Hi Ishara, > > Since challenge questions themselves are insecure, customers will not use > only that feature in a production system. So IMO it is not a 'good to have' > option even. > > When I tried to reset my salesfroce password yesterday, they emailed me a > link and it took me to a page with my security questions. So it was an *email > + security questions* solution. > Yes still security question is used. So if some one feel that its insecure we can strengthen the security of the flow using SMS or email. But its a decision of the people who use it (And we can guide ) to decide. As an IAM solution I think still we need this. -Ishara > > But my guess is they might be using an existing security questions feature > of them. > > In our case, we have still not implemented it. So I'm -1 for implementing > challenge questions. > > On Wed, Jan 18, 2017 at 11:41 PM, Ishara Karunarathna <[email protected]> > wrote: > >> >> >> On Wed, Jan 18, 2017 at 11:17 PM, Nuwan Dias <[email protected]> wrote: >> >>> >>> >>> On Wed, Jan 18, 2017 at 11:12 PM, Ishara Karunarathna <[email protected]> >>> wrote: >>> >>>> Hi All, >>>> >>>> Though challenge question is not secure mechanism this is a basic stuff >>>> client expect from an IAM solution. >>>> And having another recovery mechanism with this can help to make it >>>> strong as well. >>>> >>>> So I'm still doubt on dropping this. And if we are completely dropping >>>> this. We should have first class support for other >>>> recovery mechanisms and well documented on this. >>>> >>> >>> That's the idea right? I was under the impression that we will at least >>> have an email based recovery mechanism in place. If we're saying challenge >>> questions are our primary mode of account recovery, that's not right IMO. >>> AFAIS, challenge questions are 'good to have' and email recovery is 'must >>> have'. >>> >> Yes challenge question should not be a primary mechanism. But still its >> better to be available in the product. >> >>> >>>> -Ishara >>>> >>>> On Wed, Jan 18, 2017 at 6:21 PM, Danushka Fernando <[email protected]> >>>> wrote: >>>> >>>>> If everyone had it in past and no longer using it, big +1 for removing >>>>> it. Only concern is about existing customers. If we can explain the >>>>> rationale behind removing it we are in clear I guess. >>>>> >>>>> @Sewmini >>>>> Yes there is a reviewed user story for this. But when we discuss about >>>>> some implementation details today, we realized that lot of people had this >>>>> and removed this due to vulnerabilities in it. Hence Indunil started this >>>>> discussion. >>>>> >>>>> Thanks & Regards >>>>> Danushka Fernando >>>>> Senior Software Engineer >>>>> WSO2 inc. http://wso2.com/ >>>>> Mobile : +94716332729 <+94%2071%20633%202729> >>>>> >>>>> >>>>> >>>>> On Jan 18, 2017 6:04 PM, "KasunG Gajasinghe" <[email protected]> wrote: >>>>> >>>>>> >>>>>> Security questions are a thing of the past. Google, Facebook they all >>>>>> have removed the security questions based password recovery mechanisms. >>>>>> [1] >>>>>> [2] So, +1 to drop this support in IS 6. >>>>>> >>>>>> [1] http://googlesystem.blogspot.com/2014/12/google-drops-su >>>>>> pport-for-security.html >>>>>> [2] https://www.facebook.com/help/community/question/?id=815 >>>>>> 382261879187 >>>>>> >>>>>> On Wed, Jan 18, 2017 at 5:37 PM, Nuwan Dias <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Currently we are working on implementing C5 user portal in IS. >>>>>>>> Appreciate your suggestions/ideas for the following concerns regarding >>>>>>>> challenge questions. >>>>>>>> >>>>>>>> *1) Is it necessary to include challenge questions in IS 6.0.0 as >>>>>>>> a recovery option?* >>>>>>>> Seems like secret questions are neither secure nor reliable enough >>>>>>>> to be used as a account recovery mechanism. And also most of the >>>>>>>> vendors >>>>>>>> has completely removed support for security questions including >>>>>>>> google. In >>>>>>>> C5, security question sets will be some what strengthen the recovery >>>>>>>> and >>>>>>>> makes it hard to guess the questions. But seems like need to consider >>>>>>>> whether it need to be implemented or not. >>>>>>>> >>>>>>> >>>>>>> I personally have never used a security question to recover any of >>>>>>> the accounts of which I forgot passwords. Its always a recovery through >>>>>>> email or mobile. Therefore I don't see this as a valuable feature. >>>>>>> >>>>>>>> >>>>>>>> *2) Is it necessary to include security questions in user self >>>>>>>> sign-up page? If needed, following way is appropriate?* >>>>>>>> As we have planned, in C5, admin can create several security >>>>>>>> question sets and can configure the minimum number of questions that >>>>>>>> need >>>>>>>> to be answered by a user. So that in self sign up UI when populating >>>>>>>> security questions to a user, >>>>>>>> >>>>>>>> - security questions need to be categorized according to the >>>>>>>> security question sets >>>>>>>> - all the sets need to be populated for the user >>>>>>>> - user can select any number of security questions from >>>>>>>> different sets not from a same set >>>>>>>> - need to validate whether the user has answered for the >>>>>>>> minimum number of questions >>>>>>>> >>>>>>>> When an answer to a question is personal, the question itself is >>>>>>> probably personal too. Therefore I don't think an admin can decide on >>>>>>> what >>>>>>> questions to be asked from you. Its unlikely you'll remember an answer >>>>>>> to a >>>>>>> question which is not very relevant to you. If we're doing this (I'm >>>>>>> negative on implementing the feature itself too :)), I think we should >>>>>>> let >>>>>>> the user decide his own questions and answers. >>>>>>> >>>>>>> >>>>>>>> Appreciate your ideas on this. >>>>>>>> >>>>>>>> Thanks and Regards >>>>>>>> -- >>>>>>>> Indunil Upeksha Rathnayake >>>>>>>> Software Engineer | WSO2 Inc >>>>>>>> Email [email protected] >>>>>>>> Mobile 0772182255 <077%20218%202255> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> [email protected] >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Nuwan Dias >>>>>>> >>>>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>>>> email : [email protected] >>>>>>> Phone : +94 777 775 729 <077%20777%205729> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>>> email: kasung AT spamfree wso2.com >>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>>> blog: http://kasunbg.org >>>>>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 <+94%2071%20799%206791> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Software Architect - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Best Regards* > > *Rushmin Fernando* > *Technical Lead* > > WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware > > mobile : +94775615183 > > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
