HI Nuwan, On Fri, Jan 20, 2017 at 1:49 PM, Nuwan Dias <[email protected]> wrote:
> > > On Fri, Jan 20, 2017 at 1:01 PM, Isura Karunaratne <[email protected]> wrote: > >> Hi Nuwan, >> >> >> >> >> On Fri, Jan 20, 2017 at 11:48 AM, Nuwan Dias <[email protected]> wrote: >> >>> >>> >>> On Thu, Jan 19, 2017 at 10:42 AM, Isura Karunaratne <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> In my opinion, admin defined security questions are more secure than >>>> user-defined security questions in general. Because some users may define >>>> simple questions and answers which attackers can guess easily. >>>> >>> >>> I don't agree on that :). An admin's questions needs to be generic so >>> that they apply to everybody. Ex: "What's your mother's maiden name?". They >>> can never ask personalized questions such as "What is the name of the 3rd >>> school you attended?" because not everybody has attended 3 or more schools. >>> Therefore answers to admin defined questions are very easily guessable >>> compared to user-defined/personalized questions. >>> >>> Yes, users can be lazy and define easy questions, but we can easily get >>> around that by putting a simple advice along with a few examples like the >>> one above. >>> >> >> Agree with you, if all the users are concerned about their security and >> provide good questions as you mentioned, but that's not the general >> behaviour. We can't guarantee that all users will provide good questions. >> > > If answers to admin defined questions are easily guessable, and if answers > to "easy" user defined questions are also guessable, there's nothing we > gain by making an admin govern the questions. If we let users define the > questions, and influence them to come up with hard enough ones, at least > the careful users will be secure. > Yes in both ways there are pros and cons, But Admin defined questions will provide most suitable set of questions which fill organization requirements to all the users and security can be enhanced with engaging other recovery mechanism with that. > > Also if the question set is predefined, an attacker can know the set of > possible questions and research and prepare himself well enough to answer > them. We also may need to cater the requirement of wanting to remove a > question from the list if an organization feels a question is no longer > appropriate. > +1 . Already we have this, but need to enforce existing users select new question if we are going to remove a one. -Ishara > >> Some researchers are also found that better to avoid user defined >> security questions [1] >> >> >> [1] http://www.passwordresearch.com/files/A%20Review%20of% >> 20Real%20World%20Security%20Questions%20Answers%20-%20PasswordsCon13.pdf >> >> Thanks >> Isura. >> >>> >>>> Still, most of the users who use Identity Server, use this feature. So, >>>> I am -1 to remove feature completely. We can give following options, so >>>> users can decide better option for them. >>>> >>>> - Email based recovery >>>> - Security Question-based recovery >>>> - Email + Security Question based recovery. >>>> >>>> >>>> Thanks >>>> Isura. >>>> >>>> >>>> *Isura Dilhara Karunaratne* >>>> Senior Software Engineer | WSO2 >>>> Email: [email protected] >>>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>>> Blog : http://isurad.blogspot.com/ >>>> >>>> >>>> >>>> >>>> On Thu, Jan 19, 2017 at 9:48 AM, Rushmin Fernando <[email protected]> >>>> wrote: >>>> >>>>> Hi Ishara, >>>>> >>>>> Since challenge questions themselves are insecure, customers will not >>>>> use only that feature in a production system. So IMO it is not a 'good to >>>>> have' option even. >>>>> >>>>> When I tried to reset my salesfroce password yesterday, they emailed >>>>> me a link and it took me to a page with my security questions. So it was >>>>> an *email >>>>> + security questions* solution. >>>>> >>>>> But my guess is they might be using an existing security questions >>>>> feature of them. >>>>> >>>>> In our case, we have still not implemented it. So I'm -1 for >>>>> implementing challenge questions. >>>>> >>>>> On Wed, Jan 18, 2017 at 11:41 PM, Ishara Karunarathna < >>>>> [email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Jan 18, 2017 at 11:17 PM, Nuwan Dias <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Jan 18, 2017 at 11:12 PM, Ishara Karunarathna < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> Though challenge question is not secure mechanism this is a basic >>>>>>>> stuff client expect from an IAM solution. >>>>>>>> And having another recovery mechanism with this can help to make it >>>>>>>> strong as well. >>>>>>>> >>>>>>>> So I'm still doubt on dropping this. And if we are completely >>>>>>>> dropping this. We should have first class support for other >>>>>>>> recovery mechanisms and well documented on this. >>>>>>>> >>>>>>> >>>>>>> That's the idea right? I was under the impression that we will at >>>>>>> least have an email based recovery mechanism in place. If we're saying >>>>>>> challenge questions are our primary mode of account recovery, that's not >>>>>>> right IMO. AFAIS, challenge questions are 'good to have' and email >>>>>>> recovery >>>>>>> is 'must have'. >>>>>>> >>>>>> Yes challenge question should not be a primary mechanism. But still >>>>>> its better to be available in the product. >>>>>> >>>>>>> >>>>>>>> -Ishara >>>>>>>> >>>>>>>> On Wed, Jan 18, 2017 at 6:21 PM, Danushka Fernando < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> If everyone had it in past and no longer using it, big +1 for >>>>>>>>> removing it. Only concern is about existing customers. If we can >>>>>>>>> explain >>>>>>>>> the rationale behind removing it we are in clear I guess. >>>>>>>>> >>>>>>>>> @Sewmini >>>>>>>>> Yes there is a reviewed user story for this. But when we discuss >>>>>>>>> about some implementation details today, we realized that lot of >>>>>>>>> people had >>>>>>>>> this and removed this due to vulnerabilities in it. Hence Indunil >>>>>>>>> started >>>>>>>>> this discussion. >>>>>>>>> >>>>>>>>> Thanks & Regards >>>>>>>>> Danushka Fernando >>>>>>>>> Senior Software Engineer >>>>>>>>> WSO2 inc. http://wso2.com/ >>>>>>>>> Mobile : +94716332729 <+94%2071%20633%202729> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Jan 18, 2017 6:04 PM, "KasunG Gajasinghe" <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Security questions are a thing of the past. Google, Facebook they >>>>>>>>>> all have removed the security questions based password recovery >>>>>>>>>> mechanisms. >>>>>>>>>> [1] [2] So, +1 to drop this support in IS 6. >>>>>>>>>> >>>>>>>>>> [1] http://googlesystem.blogspot.com/2014/12/google-drops-su >>>>>>>>>> pport-for-security.html >>>>>>>>>> [2] https://www.facebook.com/help/community/question/?id=815 >>>>>>>>>> 382261879187 >>>>>>>>>> >>>>>>>>>> On Wed, Jan 18, 2017 at 5:37 PM, Nuwan Dias <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> Currently we are working on implementing C5 user portal in IS. >>>>>>>>>>>> Appreciate your suggestions/ideas for the following concerns >>>>>>>>>>>> regarding >>>>>>>>>>>> challenge questions. >>>>>>>>>>>> >>>>>>>>>>>> *1) Is it necessary to include challenge questions in IS 6.0.0 >>>>>>>>>>>> as a recovery option?* >>>>>>>>>>>> Seems like secret questions are neither secure nor reliable >>>>>>>>>>>> enough to be used as a account recovery mechanism. And also most >>>>>>>>>>>> of the >>>>>>>>>>>> vendors has completely removed support for security questions >>>>>>>>>>>> including >>>>>>>>>>>> google. In C5, security question sets will be some what strengthen >>>>>>>>>>>> the >>>>>>>>>>>> recovery and makes it hard to guess the questions. But seems like >>>>>>>>>>>> need to >>>>>>>>>>>> consider whether it need to be implemented or not. >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I personally have never used a security question to recover any >>>>>>>>>>> of the accounts of which I forgot passwords. Its always a recovery >>>>>>>>>>> through >>>>>>>>>>> email or mobile. Therefore I don't see this as a valuable feature. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *2) Is it necessary to include security questions in user self >>>>>>>>>>>> sign-up page? If needed, following way is appropriate?* >>>>>>>>>>>> As we have planned, in C5, admin can create several security >>>>>>>>>>>> question sets and can configure the minimum number of questions >>>>>>>>>>>> that need >>>>>>>>>>>> to be answered by a user. So that in self sign up UI when >>>>>>>>>>>> populating >>>>>>>>>>>> security questions to a user, >>>>>>>>>>>> >>>>>>>>>>>> - security questions need to be categorized according to >>>>>>>>>>>> the security question sets >>>>>>>>>>>> - all the sets need to be populated for the user >>>>>>>>>>>> - user can select any number of security questions from >>>>>>>>>>>> different sets not from a same set >>>>>>>>>>>> - need to validate whether the user has answered for the >>>>>>>>>>>> minimum number of questions >>>>>>>>>>>> >>>>>>>>>>>> When an answer to a question is personal, the question itself >>>>>>>>>>> is probably personal too. Therefore I don't think an admin can >>>>>>>>>>> decide on >>>>>>>>>>> what questions to be asked from you. Its unlikely you'll remember >>>>>>>>>>> an answer >>>>>>>>>>> to a question which is not very relevant to you. If we're doing >>>>>>>>>>> this (I'm >>>>>>>>>>> negative on implementing the feature itself too :)), I think we >>>>>>>>>>> should let >>>>>>>>>>> the user decide his own questions and answers. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Appreciate your ideas on this. >>>>>>>>>>>> >>>>>>>>>>>> Thanks and Regards >>>>>>>>>>>> -- >>>>>>>>>>>> Indunil Upeksha Rathnayake >>>>>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>>>>> Email [email protected] >>>>>>>>>>>> Mobile 0772182255 <077%20218%202255> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Dev mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Nuwan Dias >>>>>>>>>>> >>>>>>>>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>>>>>>>> email : [email protected] >>>>>>>>>>> Phone : +94 777 775 729 <077%20777%205729> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>>>>>>> email: kasung AT spamfree wso2.com >>>>>>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>>>>>>> blog: http://kasunbg.org >>>>>>>>>> phone: +1 650-745-4499 <%28650%29%20745-4499>, 77 678 0813 >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Ishara Karunarathna >>>>>>>> Associate Technical Lead >>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>> >>>>>>>> email: [email protected], blog: isharaaruna.blogspot.com, >>>>>>>> mobile: +94717996791 <+94%2071%20799%206791> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Nuwan Dias >>>>>>> >>>>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>>>> email : [email protected] >>>>>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Associate Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 <+94%2071%20799%206791> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Best Regards* >>>>> >>>>> *Rushmin Fernando* >>>>> *Technical Lead* >>>>> >>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>> >>>>> mobile : +94775615183 >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Software Architect - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 <+94%2077%20777%205729> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
