On Thu, Apr 28, 2016 at 4:12 PM, Ayoma Wijethunga <[email protected]> wrote:
> IMO we should use the 2nd approach by default. Please check following > OWASP recommendation : > > Furthermore, since adversaries will try the "forgot password" reset flow >> to reset a user's password (especially if they have compromised the >> side-channel, such as user's email account or their mobile device where >> they receive SMS text messages), is a good practice to minimize unintended >> and unauthorized information disclosure of the security questions. This may >> mean that you require the user to answer one security question before >> displaying any subsequent questions to be answered. In this manner, it does >> not allow an adversary an opportunity to research all the questions at >> once. Note however that this is contrary to the advice given on the Forgot >> Password Cheat Sheet and it may also be perceived as not being >> user-friendly by your sponsoring business unit, so again YMMV. [1] > > > It is true that having multiple screens is not user-friendly, but IMO > security aspect is important than being user friendly in such sensitive and > infrequently used flow. > > Also during PCI PA-DSS audits, I have experience where auditors recommend > 2nd approach. This is based on section 7 of PCI PA-DSS Guide [2] which is > regarding disclosing information on need-to-know basis (even though PCI > PA-DSS purely speak about securing cardholder data, which does not include > security questions). > Agree with Ayoma. I too have experienced this and have read expert opinion on this. Security questions disclosure should be on need-to-know basis. > > > It is great if we can support both options and allow user to decide what > to use. However, IMO default should be the 2nd approach. > > [1] > https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet > > [2] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf > [3] > https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html > > On Thu, Apr 28, 2016 at 3:28 PM, Isura Karunaratne <[email protected]> wrote: > >> Hi all, >> >> On Thu, Apr 28, 2016 at 12:08 PM, Malithi Edirisinghe <[email protected]> >> wrote: >> >>> >>> Hi All, >>> >>> I'm working on supporting user information recovery scenarios in IS user >>> portal [1]. >>> >>> While discussing on the user aspects of password recovery with security >>> questions, with UX team we came across the below concern. >>> >>> 1. Should we view all of the security questions chosen by the user, from >>> each question set, in the same page >>> >>> 2. Should we view the question chosen from each question set in a >>> separate page, and make the user to go page by page answering each question >>> >>> If we chose option (1) we should be able to verify user answers for all >>> the questions in a one step. If all are answered properly we will let the >>> user to proceed, or else we will notify the user that he has not correctly >>> answered to one or more, in the next page. >>> If we chose option (2) in each step we will verify the user's answer to >>> the question prompted. If the first one is properly answered prompt the >>> second question and let him to proceed similarly or else break the flow. >>> >>> However, with information recovery service implementation at IS , we can >>> only support option (2) at the moment. >>> But, as it seems most of the sites opt for option (1). >>> >>> >> Yes. In the currently implementation we can support only option 2. When >> we are desiging Identity Management Java API s for IS 5.3.0 release, it is >> better to support java API for both of above scenarios. >> >> Thanks >> Isura >> >> >> We would like to clarify on which option we should proceed with. Also, >>> would like to clarify on any security concerns with regard to above options. >>> >>> Appreciate your thoughts. >>> >>> >>> [1] https://wso2.org/jira/browse/IDENTITY-3300 >>> >>> Thanks, >>> Malithi. >>> -- >>> >>> *Malithi Edirisinghe* >>> Senior Software Engineer >>> WSO2 Inc. >>> >>> Mobile : +94 (0) 718176807 >>> [email protected] >>> >> >> >> >> -- >> Isura Dilhara Karunaratne >> Senior Software Engineer >> >> Mob +94 772 254 810 >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Ayoma Wijethunga > Software Engineer > WSO2, Inc.; http://wso2.com > lean.enterprise.middleware > > Mobile : +94 (0) 719428123 <+94+(0)+719428123> > Blog : http://www.ayomaonline.com > LinkedIn: https://www.linkedin.com/in/ayoma > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Dulindra Wijethilake Senior Product Manager WSO2, Inc.; http://wso2.com lean.enterprise.middleware mobile- +94 71 312 0005
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
