Hi, In which level we should have this option?
IMO we should let each tenant to pick their own flow. Thanks, On Friday, 29 April 2016, Prabath Siriwardana <[email protected]> wrote: > +1 for both - and I guess our default implementation should use option-2. > > Thanks & regards, > -Prabath > > On Thu, Apr 28, 2016 at 7:38 PM, Johann Nallathamby <[email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: > >> >> >> On Fri, Apr 29, 2016 at 7:57 AM, Malithi Edirisinghe <[email protected] >> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: >> >>> Hi All, >>> >>> Thanks a lot for the inputs. >>> So ideally I think we should support both options. >>> >>> Johann, Prabath, >>> WDYT? >>> >> >> +1 from me. >> >> >>> >>> Thanks, >>> Malithi. >>> >>> On Thu, Apr 28, 2016 at 4:43 PM, Dulindra Wijethilake <[email protected] >>> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: >>> >>>> >>>> >>>> On Thu, Apr 28, 2016 at 4:12 PM, Ayoma Wijethunga <[email protected] >>>> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: >>>> >>>>> IMO we should use the 2nd approach by default. Please check following >>>>> OWASP recommendation : >>>>> >>>>> Furthermore, since adversaries will try the "forgot password" reset >>>>>> flow to reset a user's password (especially if they have compromised the >>>>>> side-channel, such as user's email account or their mobile device where >>>>>> they receive SMS text messages), is a good practice to minimize >>>>>> unintended >>>>>> and unauthorized information disclosure of the security questions. This >>>>>> may >>>>>> mean that you require the user to answer one security question before >>>>>> displaying any subsequent questions to be answered. In this manner, it >>>>>> does >>>>>> not allow an adversary an opportunity to research all the questions at >>>>>> once. Note however that this is contrary to the advice given on the >>>>>> Forgot >>>>>> Password Cheat Sheet and it may also be perceived as not being >>>>>> user-friendly by your sponsoring business unit, so again YMMV. [1] >>>>> >>>>> >>>>> It is true that having multiple screens is not user-friendly, but IMO >>>>> security aspect is important than being user friendly in such sensitive >>>>> and >>>>> infrequently used flow. >>>>> >>>>> Also during PCI PA-DSS audits, I have experience where auditors >>>>> recommend 2nd approach. This is based on section 7 of PCI PA-DSS Guide [2] >>>>> which is regarding disclosing information on need-to-know basis (even >>>>> though PCI PA-DSS purely speak about securing cardholder data, which does >>>>> not include security questions). >>>>> >>>> >>>> Agree with Ayoma. I too have experienced this and have read expert >>>> opinion on this. Security questions disclosure should be on need-to-know >>>> basis. >>>> >>>>> >>>>> >>>>> It is great if we can support both options and allow user to decide >>>>> what to use. However, IMO default should be the 2nd approach. >>>>> >>>>> [1] >>>>> https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet >>>>> >>>>> [2] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf >>>>> [3] >>>>> https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html >>>>> >>>>> On Thu, Apr 28, 2016 at 3:28 PM, Isura Karunaratne <[email protected] >>>>> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> On Thu, Apr 28, 2016 at 12:08 PM, Malithi Edirisinghe < >>>>>> [email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');> >>>>>> > wrote: >>>>>> >>>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I'm working on supporting user information recovery scenarios in IS >>>>>>> user portal [1]. >>>>>>> >>>>>>> While discussing on the user aspects of password recovery with >>>>>>> security questions, with UX team we came across the below concern. >>>>>>> >>>>>>> 1. Should we view all of the security questions chosen by the user, >>>>>>> from each question set, in the same page >>>>>>> >>>>>>> 2. Should we view the question chosen from each question set in a >>>>>>> separate page, and make the user to go page by page answering each >>>>>>> question >>>>>>> >>>>>>> If we chose option (1) we should be able to verify user answers for >>>>>>> all the questions in a one step. If all are answered properly we will >>>>>>> let >>>>>>> the user to proceed, or else we will notify the user that he has not >>>>>>> correctly answered to one or more, in the next page. >>>>>>> If we chose option (2) in each step we will verify the user's answer >>>>>>> to the question prompted. If the first one is properly answered prompt >>>>>>> the >>>>>>> second question and let him to proceed similarly or else break the flow. >>>>>>> >>>>>>> However, with information recovery service implementation at IS , we >>>>>>> can only support option (2) at the moment. >>>>>>> But, as it seems most of the sites opt for option (1). >>>>>>> >>>>>>> >>>>>> Yes. In the currently implementation we can support only option 2. >>>>>> When we are desiging Identity Management Java API s for IS 5.3.0 >>>>>> release, >>>>>> it is better to support java API for both of above scenarios. >>>>>> >>>>>> Thanks >>>>>> Isura >>>>>> >>>>>> >>>>>> We would like to clarify on which option we should proceed with. >>>>>>> Also, would like to clarify on any security concerns with regard to >>>>>>> above >>>>>>> options. >>>>>>> >>>>>>> Appreciate your thoughts. >>>>>>> >>>>>>> >>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-3300 >>>>>>> >>>>>>> Thanks, >>>>>>> Malithi. >>>>>>> -- >>>>>>> >>>>>>> *Malithi Edirisinghe* >>>>>>> Senior Software Engineer >>>>>>> WSO2 Inc. >>>>>>> >>>>>>> Mobile : +94 (0) 718176807 >>>>>>> [email protected] >>>>>>> <javascript:_e(%7B%7D,'cvml','[email protected]');> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Isura Dilhara Karunaratne >>>>>> Senior Software Engineer >>>>>> >>>>>> Mob +94 772 254 810 >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');> >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ayoma Wijethunga >>>>> Software Engineer >>>>> WSO2, Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>>> Blog : http://www.ayomaonline.com >>>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');> >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Dulindra Wijethilake >>>> Senior Product Manager >>>> WSO2, Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> mobile- +94 71 312 0005 >>>> >>> >>> >>> >>> -- >>> >>> *Malithi Edirisinghe* >>> Senior Software Engineer >>> WSO2 Inc. >>> >>> Mobile : +94 (0) 718176807 >>> [email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');> >>> >> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > -- Regards, *Darshana Gunawardana*Senior Software Engineer WSO2 Inc.; http://wso2.com *E-mail: [email protected] <[email protected]>* *Mobile: +94718566859*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
