On Thu, Jan 19, 2017 at 10:42 AM, Isura Karunaratne <[email protected]> wrote:
> Hi, > > In my opinion, admin defined security questions are more secure than > user-defined security questions in general. Because some users may define > simple questions and answers which attackers can guess easily. > I don't agree on that :). An admin's questions needs to be generic so that they apply to everybody. Ex: "What's your mother's maiden name?". They can never ask personalized questions such as "What is the name of the 3rd school you attended?" because not everybody has attended 3 or more schools. Therefore answers to admin defined questions are very easily guessable compared to user-defined/personalized questions. Yes, users can be lazy and define easy questions, but we can easily get around that by putting a simple advice along with a few examples like the one above. > > Still, most of the users who use Identity Server, use this feature. So, I > am -1 to remove feature completely. We can give following options, so > users can decide better option for them. > > - Email based recovery > - Security Question-based recovery > - Email + Security Question based recovery. > > > Thanks > Isura. > > > *Isura Dilhara Karunaratne* > Senior Software Engineer | WSO2 > Email: [email protected] > Mob : +94 772 254 810 <+94%2077%20225%204810> > Blog : http://isurad.blogspot.com/ > > > > > On Thu, Jan 19, 2017 at 9:48 AM, Rushmin Fernando <[email protected]> > wrote: > >> Hi Ishara, >> >> Since challenge questions themselves are insecure, customers will not use >> only that feature in a production system. So IMO it is not a 'good to have' >> option even. >> >> When I tried to reset my salesfroce password yesterday, they emailed me a >> link and it took me to a page with my security questions. So it was an *email >> + security questions* solution. >> >> But my guess is they might be using an existing security questions >> feature of them. >> >> In our case, we have still not implemented it. So I'm -1 for implementing >> challenge questions. >> >> On Wed, Jan 18, 2017 at 11:41 PM, Ishara Karunarathna <[email protected]> >> wrote: >> >>> >>> >>> On Wed, Jan 18, 2017 at 11:17 PM, Nuwan Dias <[email protected]> wrote: >>> >>>> >>>> >>>> On Wed, Jan 18, 2017 at 11:12 PM, Ishara Karunarathna <[email protected] >>>> > wrote: >>>> >>>>> Hi All, >>>>> >>>>> Though challenge question is not secure mechanism this is a basic >>>>> stuff client expect from an IAM solution. >>>>> And having another recovery mechanism with this can help to make it >>>>> strong as well. >>>>> >>>>> So I'm still doubt on dropping this. And if we are completely dropping >>>>> this. We should have first class support for other >>>>> recovery mechanisms and well documented on this. >>>>> >>>> >>>> That's the idea right? I was under the impression that we will at least >>>> have an email based recovery mechanism in place. If we're saying challenge >>>> questions are our primary mode of account recovery, that's not right IMO. >>>> AFAIS, challenge questions are 'good to have' and email recovery is 'must >>>> have'. >>>> >>> Yes challenge question should not be a primary mechanism. But still its >>> better to be available in the product. >>> >>>> >>>>> -Ishara >>>>> >>>>> On Wed, Jan 18, 2017 at 6:21 PM, Danushka Fernando <[email protected] >>>>> > wrote: >>>>> >>>>>> If everyone had it in past and no longer using it, big +1 for >>>>>> removing it. Only concern is about existing customers. If we can explain >>>>>> the rationale behind removing it we are in clear I guess. >>>>>> >>>>>> @Sewmini >>>>>> Yes there is a reviewed user story for this. But when we discuss >>>>>> about some implementation details today, we realized that lot of people >>>>>> had >>>>>> this and removed this due to vulnerabilities in it. Hence Indunil started >>>>>> this discussion. >>>>>> >>>>>> Thanks & Regards >>>>>> Danushka Fernando >>>>>> Senior Software Engineer >>>>>> WSO2 inc. http://wso2.com/ >>>>>> Mobile : +94716332729 <+94%2071%20633%202729> >>>>>> >>>>>> >>>>>> >>>>>> On Jan 18, 2017 6:04 PM, "KasunG Gajasinghe" <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> Security questions are a thing of the past. Google, Facebook they >>>>>>> all have removed the security questions based password recovery >>>>>>> mechanisms. >>>>>>> [1] [2] So, +1 to drop this support in IS 6. >>>>>>> >>>>>>> [1] http://googlesystem.blogspot.com/2014/12/google-drops-su >>>>>>> pport-for-security.html >>>>>>> [2] https://www.facebook.com/help/community/question/?id=815 >>>>>>> 382261879187 >>>>>>> >>>>>>> On Wed, Jan 18, 2017 at 5:37 PM, Nuwan Dias <[email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Currently we are working on implementing C5 user portal in IS. >>>>>>>>> Appreciate your suggestions/ideas for the following concerns regarding >>>>>>>>> challenge questions. >>>>>>>>> >>>>>>>>> *1) Is it necessary to include challenge questions in IS 6.0.0 as >>>>>>>>> a recovery option?* >>>>>>>>> Seems like secret questions are neither secure nor reliable enough >>>>>>>>> to be used as a account recovery mechanism. And also most of the >>>>>>>>> vendors >>>>>>>>> has completely removed support for security questions including >>>>>>>>> google. In >>>>>>>>> C5, security question sets will be some what strengthen the recovery >>>>>>>>> and >>>>>>>>> makes it hard to guess the questions. But seems like need to consider >>>>>>>>> whether it need to be implemented or not. >>>>>>>>> >>>>>>>> >>>>>>>> I personally have never used a security question to recover any of >>>>>>>> the accounts of which I forgot passwords. Its always a recovery through >>>>>>>> email or mobile. Therefore I don't see this as a valuable feature. >>>>>>>> >>>>>>>>> >>>>>>>>> *2) Is it necessary to include security questions in user self >>>>>>>>> sign-up page? If needed, following way is appropriate?* >>>>>>>>> As we have planned, in C5, admin can create several security >>>>>>>>> question sets and can configure the minimum number of questions that >>>>>>>>> need >>>>>>>>> to be answered by a user. So that in self sign up UI when populating >>>>>>>>> security questions to a user, >>>>>>>>> >>>>>>>>> - security questions need to be categorized according to the >>>>>>>>> security question sets >>>>>>>>> - all the sets need to be populated for the user >>>>>>>>> - user can select any number of security questions from >>>>>>>>> different sets not from a same set >>>>>>>>> - need to validate whether the user has answered for the >>>>>>>>> minimum number of questions >>>>>>>>> >>>>>>>>> When an answer to a question is personal, the question itself is >>>>>>>> probably personal too. Therefore I don't think an admin can decide on >>>>>>>> what >>>>>>>> questions to be asked from you. Its unlikely you'll remember an answer >>>>>>>> to a >>>>>>>> question which is not very relevant to you. If we're doing this (I'm >>>>>>>> negative on implementing the feature itself too :)), I think we should >>>>>>>> let >>>>>>>> the user decide his own questions and answers. >>>>>>>> >>>>>>>> >>>>>>>>> Appreciate your ideas on this. >>>>>>>>> >>>>>>>>> Thanks and Regards >>>>>>>>> -- >>>>>>>>> Indunil Upeksha Rathnayake >>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>> Email [email protected] >>>>>>>>> Mobile 0772182255 <077%20218%202255> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> [email protected] >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Nuwan Dias >>>>>>>> >>>>>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>>>>> email : [email protected] >>>>>>>> Phone : +94 777 775 729 <077%20777%205729> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>>>> email: kasung AT spamfree wso2.com >>>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>>>> blog: http://kasunbg.org >>>>>>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ishara Karunarathna >>>>> Associate Technical Lead >>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>> >>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>>> +94717996791 <+94%2071%20799%206791> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Software Architect - WSO2, Inc. http://wso2.com >>>> email : [email protected] >>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Associate Technical Lead >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>> +94717996791 <+94%2071%20799%206791> >>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94775615183 >> >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
