On Fri, Apr 29, 2016 at 7:57 AM, Malithi Edirisinghe <[email protected]> wrote:
> Hi All, > > Thanks a lot for the inputs. > So ideally I think we should support both options. > > Johann, Prabath, > WDYT? > +1 from me. > > Thanks, > Malithi. > > On Thu, Apr 28, 2016 at 4:43 PM, Dulindra Wijethilake <[email protected]> > wrote: > >> >> >> On Thu, Apr 28, 2016 at 4:12 PM, Ayoma Wijethunga <[email protected]> wrote: >> >>> IMO we should use the 2nd approach by default. Please check following >>> OWASP recommendation : >>> >>> Furthermore, since adversaries will try the "forgot password" reset flow >>>> to reset a user's password (especially if they have compromised the >>>> side-channel, such as user's email account or their mobile device where >>>> they receive SMS text messages), is a good practice to minimize unintended >>>> and unauthorized information disclosure of the security questions. This may >>>> mean that you require the user to answer one security question before >>>> displaying any subsequent questions to be answered. In this manner, it does >>>> not allow an adversary an opportunity to research all the questions at >>>> once. Note however that this is contrary to the advice given on the Forgot >>>> Password Cheat Sheet and it may also be perceived as not being >>>> user-friendly by your sponsoring business unit, so again YMMV. [1] >>> >>> >>> It is true that having multiple screens is not user-friendly, but IMO >>> security aspect is important than being user friendly in such sensitive and >>> infrequently used flow. >>> >>> Also during PCI PA-DSS audits, I have experience where auditors >>> recommend 2nd approach. This is based on section 7 of PCI PA-DSS Guide [2] >>> which is regarding disclosing information on need-to-know basis (even >>> though PCI PA-DSS purely speak about securing cardholder data, which does >>> not include security questions). >>> >> >> Agree with Ayoma. I too have experienced this and have read expert >> opinion on this. Security questions disclosure should be on need-to-know >> basis. >> >>> >>> >>> It is great if we can support both options and allow user to decide what >>> to use. However, IMO default should be the 2nd approach. >>> >>> [1] >>> https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet >>> >>> [2] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf >>> [3] >>> https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html >>> >>> On Thu, Apr 28, 2016 at 3:28 PM, Isura Karunaratne <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> On Thu, Apr 28, 2016 at 12:08 PM, Malithi Edirisinghe < >>>> [email protected]> wrote: >>>> >>>>> >>>>> Hi All, >>>>> >>>>> I'm working on supporting user information recovery scenarios in IS >>>>> user portal [1]. >>>>> >>>>> While discussing on the user aspects of password recovery with >>>>> security questions, with UX team we came across the below concern. >>>>> >>>>> 1. Should we view all of the security questions chosen by the user, >>>>> from each question set, in the same page >>>>> >>>>> 2. Should we view the question chosen from each question set in a >>>>> separate page, and make the user to go page by page answering each >>>>> question >>>>> >>>>> If we chose option (1) we should be able to verify user answers for >>>>> all the questions in a one step. If all are answered properly we will let >>>>> the user to proceed, or else we will notify the user that he has not >>>>> correctly answered to one or more, in the next page. >>>>> If we chose option (2) in each step we will verify the user's answer >>>>> to the question prompted. If the first one is properly answered prompt the >>>>> second question and let him to proceed similarly or else break the flow. >>>>> >>>>> However, with information recovery service implementation at IS , we >>>>> can only support option (2) at the moment. >>>>> But, as it seems most of the sites opt for option (1). >>>>> >>>>> >>>> Yes. In the currently implementation we can support only option 2. When >>>> we are desiging Identity Management Java API s for IS 5.3.0 release, it is >>>> better to support java API for both of above scenarios. >>>> >>>> Thanks >>>> Isura >>>> >>>> >>>> We would like to clarify on which option we should proceed with. Also, >>>>> would like to clarify on any security concerns with regard to above >>>>> options. >>>>> >>>>> Appreciate your thoughts. >>>>> >>>>> >>>>> [1] https://wso2.org/jira/browse/IDENTITY-3300 >>>>> >>>>> Thanks, >>>>> Malithi. >>>>> -- >>>>> >>>>> *Malithi Edirisinghe* >>>>> Senior Software Engineer >>>>> WSO2 Inc. >>>>> >>>>> Mobile : +94 (0) 718176807 >>>>> [email protected] >>>>> >>>> >>>> >>>> >>>> -- >>>> Isura Dilhara Karunaratne >>>> Senior Software Engineer >>>> >>>> Mob +94 772 254 810 >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Ayoma Wijethunga >>> Software Engineer >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>> Blog : http://www.ayomaonline.com >>> LinkedIn: https://www.linkedin.com/in/ayoma >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Dulindra Wijethilake >> Senior Product Manager >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> mobile- +94 71 312 0005 >> > > > > -- > > *Malithi Edirisinghe* > Senior Software Engineer > WSO2 Inc. > > Mobile : +94 (0) 718176807 > [email protected] > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
