Do we have a few examples of the type of questions an admin will ask? On Thu, Jan 19, 2017 at 11:35 AM, Johann Nallathamby <[email protected]> wrote:
> > > On Thu, Jan 19, 2017 at 10:42 AM, Isura Karunaratne <[email protected]> > wrote: > >> Hi, >> >> In my opinion, admin defined security questions are more secure than >> user-defined security questions in general. Because some users may define >> simple questions and answers which attackers can guess easily. >> >> Still, most of the users who use Identity Server, use this feature. So, I >> am -1 to remove feature completely. We can give following options, so >> users can decide better option for them. >> >> - Email based recovery >> - Security Question-based recovery >> - Email + Security Question based recovery. >> >> > +1 for not removing for the simple reason still lot of customers are using > this feature. Even new customers are inquiring the availability of this > feature. So let's keep it. I also think user defined questions are not > secure. When admins define question sets they define those sets based on > various aspects of the user's life. If users are allowed to define their > own questions they will define the most easiest ones they can remember, > probably related ones, which will lead to easily guessing the answers by > social engineering, which we don't want to happen. > > Above 3 options mentioned by Isura are good. Still I don't think we > support option 3 in C4. So let's create a user story in Redmine and keep > and later decide if we have the time to implement it. > > Regards, > Johann. > >> >> Thanks >> Isura. >> >> >> *Isura Dilhara Karunaratne* >> Senior Software Engineer | WSO2 >> Email: [email protected] >> Mob : +94 772 254 810 <+94%2077%20225%204810> >> Blog : http://isurad.blogspot.com/ >> >> >> >> >> On Thu, Jan 19, 2017 at 9:48 AM, Rushmin Fernando <[email protected]> >> wrote: >> >>> Hi Ishara, >>> >>> Since challenge questions themselves are insecure, customers will not >>> use only that feature in a production system. So IMO it is not a 'good to >>> have' option even. >>> >>> When I tried to reset my salesfroce password yesterday, they emailed me >>> a link and it took me to a page with my security questions. So it was an >>> *email >>> + security questions* solution. >>> >>> But my guess is they might be using an existing security questions >>> feature of them. >>> >>> In our case, we have still not implemented it. So I'm -1 for >>> implementing challenge questions. >>> >>> On Wed, Jan 18, 2017 at 11:41 PM, Ishara Karunarathna <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Wed, Jan 18, 2017 at 11:17 PM, Nuwan Dias <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Jan 18, 2017 at 11:12 PM, Ishara Karunarathna < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> Though challenge question is not secure mechanism this is a basic >>>>>> stuff client expect from an IAM solution. >>>>>> And having another recovery mechanism with this can help to make it >>>>>> strong as well. >>>>>> >>>>>> So I'm still doubt on dropping this. And if we are completely >>>>>> dropping this. We should have first class support for other >>>>>> recovery mechanisms and well documented on this. >>>>>> >>>>> >>>>> That's the idea right? I was under the impression that we will at >>>>> least have an email based recovery mechanism in place. If we're saying >>>>> challenge questions are our primary mode of account recovery, that's not >>>>> right IMO. AFAIS, challenge questions are 'good to have' and email >>>>> recovery >>>>> is 'must have'. >>>>> >>>> Yes challenge question should not be a primary mechanism. But still its >>>> better to be available in the product. >>>> >>>>> >>>>>> -Ishara >>>>>> >>>>>> On Wed, Jan 18, 2017 at 6:21 PM, Danushka Fernando < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> If everyone had it in past and no longer using it, big +1 for >>>>>>> removing it. Only concern is about existing customers. If we can explain >>>>>>> the rationale behind removing it we are in clear I guess. >>>>>>> >>>>>>> @Sewmini >>>>>>> Yes there is a reviewed user story for this. But when we discuss >>>>>>> about some implementation details today, we realized that lot of people >>>>>>> had >>>>>>> this and removed this due to vulnerabilities in it. Hence Indunil >>>>>>> started >>>>>>> this discussion. >>>>>>> >>>>>>> Thanks & Regards >>>>>>> Danushka Fernando >>>>>>> Senior Software Engineer >>>>>>> WSO2 inc. http://wso2.com/ >>>>>>> Mobile : +94716332729 <+94%2071%20633%202729> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Jan 18, 2017 6:04 PM, "KasunG Gajasinghe" <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> Security questions are a thing of the past. Google, Facebook they >>>>>>>> all have removed the security questions based password recovery >>>>>>>> mechanisms. >>>>>>>> [1] [2] So, +1 to drop this support in IS 6. >>>>>>>> >>>>>>>> [1] http://googlesystem.blogspot.com/2014/12/google-drops-su >>>>>>>> pport-for-security.html >>>>>>>> [2] https://www.facebook.com/help/community/question/?id=815 >>>>>>>> 382261879187 >>>>>>>> >>>>>>>> On Wed, Jan 18, 2017 at 5:37 PM, Nuwan Dias <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Currently we are working on implementing C5 user portal in IS. >>>>>>>>>> Appreciate your suggestions/ideas for the following concerns >>>>>>>>>> regarding >>>>>>>>>> challenge questions. >>>>>>>>>> >>>>>>>>>> *1) Is it necessary to include challenge questions in IS 6.0.0 >>>>>>>>>> as a recovery option?* >>>>>>>>>> Seems like secret questions are neither secure nor reliable >>>>>>>>>> enough to be used as a account recovery mechanism. And also most of >>>>>>>>>> the >>>>>>>>>> vendors has completely removed support for security questions >>>>>>>>>> including >>>>>>>>>> google. In C5, security question sets will be some what strengthen >>>>>>>>>> the >>>>>>>>>> recovery and makes it hard to guess the questions. But seems like >>>>>>>>>> need to >>>>>>>>>> consider whether it need to be implemented or not. >>>>>>>>>> >>>>>>>>> >>>>>>>>> I personally have never used a security question to recover any of >>>>>>>>> the accounts of which I forgot passwords. Its always a recovery >>>>>>>>> through >>>>>>>>> email or mobile. Therefore I don't see this as a valuable feature. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> *2) Is it necessary to include security questions in user self >>>>>>>>>> sign-up page? If needed, following way is appropriate?* >>>>>>>>>> As we have planned, in C5, admin can create several security >>>>>>>>>> question sets and can configure the minimum number of questions that >>>>>>>>>> need >>>>>>>>>> to be answered by a user. So that in self sign up UI when populating >>>>>>>>>> security questions to a user, >>>>>>>>>> >>>>>>>>>> - security questions need to be categorized according to the >>>>>>>>>> security question sets >>>>>>>>>> - all the sets need to be populated for the user >>>>>>>>>> - user can select any number of security questions from >>>>>>>>>> different sets not from a same set >>>>>>>>>> - need to validate whether the user has answered for the >>>>>>>>>> minimum number of questions >>>>>>>>>> >>>>>>>>>> When an answer to a question is personal, the question itself is >>>>>>>>> probably personal too. Therefore I don't think an admin can decide on >>>>>>>>> what >>>>>>>>> questions to be asked from you. Its unlikely you'll remember an >>>>>>>>> answer to a >>>>>>>>> question which is not very relevant to you. If we're doing this (I'm >>>>>>>>> negative on implementing the feature itself too :)), I think we >>>>>>>>> should let >>>>>>>>> the user decide his own questions and answers. >>>>>>>>> >>>>>>>>> >>>>>>>>>> Appreciate your ideas on this. >>>>>>>>>> >>>>>>>>>> Thanks and Regards >>>>>>>>>> -- >>>>>>>>>> Indunil Upeksha Rathnayake >>>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>>> Email [email protected] >>>>>>>>>> Mobile 0772182255 <077%20218%202255> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Nuwan Dias >>>>>>>>> >>>>>>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>>>>>> email : [email protected] >>>>>>>>> Phone : +94 777 775 729 <077%20777%205729> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>>>>> email: kasung AT spamfree wso2.com >>>>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>>>>> blog: http://kasunbg.org >>>>>>>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Associate Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 <+94%2071%20799%206791> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>> email : [email protected] >>>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 <+94%2071%20799%206791> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> *Best Regards* >>> >>> *Rushmin Fernando* >>> *Technical Lead* >>> >>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>> >>> mobile : +94775615183 >>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
