Hi All, Thanks a lot for the inputs. So ideally I think we should support both options.
Johann, Prabath, WDYT? Thanks, Malithi. On Thu, Apr 28, 2016 at 4:43 PM, Dulindra Wijethilake <[email protected]> wrote: > > > On Thu, Apr 28, 2016 at 4:12 PM, Ayoma Wijethunga <[email protected]> wrote: > >> IMO we should use the 2nd approach by default. Please check following >> OWASP recommendation : >> >> Furthermore, since adversaries will try the "forgot password" reset flow >>> to reset a user's password (especially if they have compromised the >>> side-channel, such as user's email account or their mobile device where >>> they receive SMS text messages), is a good practice to minimize unintended >>> and unauthorized information disclosure of the security questions. This may >>> mean that you require the user to answer one security question before >>> displaying any subsequent questions to be answered. In this manner, it does >>> not allow an adversary an opportunity to research all the questions at >>> once. Note however that this is contrary to the advice given on the Forgot >>> Password Cheat Sheet and it may also be perceived as not being >>> user-friendly by your sponsoring business unit, so again YMMV. [1] >> >> >> It is true that having multiple screens is not user-friendly, but IMO >> security aspect is important than being user friendly in such sensitive and >> infrequently used flow. >> >> Also during PCI PA-DSS audits, I have experience where auditors recommend >> 2nd approach. This is based on section 7 of PCI PA-DSS Guide [2] which is >> regarding disclosing information on need-to-know basis (even though PCI >> PA-DSS purely speak about securing cardholder data, which does not include >> security questions). >> > > Agree with Ayoma. I too have experienced this and have read expert opinion > on this. Security questions disclosure should be on need-to-know basis. > >> >> >> It is great if we can support both options and allow user to decide what >> to use. However, IMO default should be the 2nd approach. >> >> [1] >> https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet >> >> [2] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf >> [3] >> https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html >> >> On Thu, Apr 28, 2016 at 3:28 PM, Isura Karunaratne <[email protected]> >> wrote: >> >>> Hi all, >>> >>> On Thu, Apr 28, 2016 at 12:08 PM, Malithi Edirisinghe <[email protected] >>> > wrote: >>> >>>> >>>> Hi All, >>>> >>>> I'm working on supporting user information recovery scenarios in IS >>>> user portal [1]. >>>> >>>> While discussing on the user aspects of password recovery with security >>>> questions, with UX team we came across the below concern. >>>> >>>> 1. Should we view all of the security questions chosen by the user, >>>> from each question set, in the same page >>>> >>>> 2. Should we view the question chosen from each question set in a >>>> separate page, and make the user to go page by page answering each question >>>> >>>> If we chose option (1) we should be able to verify user answers for all >>>> the questions in a one step. If all are answered properly we will let the >>>> user to proceed, or else we will notify the user that he has not correctly >>>> answered to one or more, in the next page. >>>> If we chose option (2) in each step we will verify the user's answer to >>>> the question prompted. If the first one is properly answered prompt the >>>> second question and let him to proceed similarly or else break the flow. >>>> >>>> However, with information recovery service implementation at IS , we >>>> can only support option (2) at the moment. >>>> But, as it seems most of the sites opt for option (1). >>>> >>>> >>> Yes. In the currently implementation we can support only option 2. When >>> we are desiging Identity Management Java API s for IS 5.3.0 release, it is >>> better to support java API for both of above scenarios. >>> >>> Thanks >>> Isura >>> >>> >>> We would like to clarify on which option we should proceed with. Also, >>>> would like to clarify on any security concerns with regard to above >>>> options. >>>> >>>> Appreciate your thoughts. >>>> >>>> >>>> [1] https://wso2.org/jira/browse/IDENTITY-3300 >>>> >>>> Thanks, >>>> Malithi. >>>> -- >>>> >>>> *Malithi Edirisinghe* >>>> Senior Software Engineer >>>> WSO2 Inc. >>>> >>>> Mobile : +94 (0) 718176807 >>>> [email protected] >>>> >>> >>> >>> >>> -- >>> Isura Dilhara Karunaratne >>> Senior Software Engineer >>> >>> Mob +94 772 254 810 >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Ayoma Wijethunga >> Software Engineer >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >> Blog : http://www.ayomaonline.com >> LinkedIn: https://www.linkedin.com/in/ayoma >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Dulindra Wijethilake > Senior Product Manager > WSO2, Inc.; http://wso2.com > lean.enterprise.middleware > mobile- +94 71 312 0005 > -- *Malithi Edirisinghe* Senior Software Engineer WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
