Can you please check whether we support following under both the password recovery and user signup flow... if not can we please accommodate them...
1. The verification code expires after some time 2. Ability to resend the verification code (a new one) by the admin or by the user 3. After the password reset, send an email to the user's registered email address - confirming the action 4. Whenever a password reset is initiated with secret questions - send an email to the user's registered email address. 5. Lock the account after n number of tries to reset the password via secret questions - or present a captcha 6. Use Google reCAPTCHA 7. Capture statistics on password recovery 8. When a registered user tries to login to the system, without verifying the code - inform him verification is pending - and give the ability to resend the verification code. Thanks & regards, -Prabath On Wed, Apr 27, 2016 at 11:38 PM, Malithi Edirisinghe <[email protected]> wrote: > > Hi All, > > I'm working on supporting user information recovery scenarios in IS user > portal [1]. > > While discussing on the user aspects of password recovery with security > questions, with UX team we came across the below concern. > > 1. Should we view all of the security questions chosen by the user, from > each question set, in the same page > > 2. Should we view the question chosen from each question set in a separate > page, and make the user to go page by page answering each question > > If we chose option (1) we should be able to verify user answers for all > the questions in a one step. If all are answered properly we will let the > user to proceed, or else we will notify the user that he has not correctly > answered to one or more, in the next page. > If we chose option (2) in each step we will verify the user's answer to > the question prompted. If the first one is properly answered prompt the > second question and let him to proceed similarly or else break the flow. > > However, with information recovery service implementation at IS , we can > only support option (2) at the moment. > But, as it seems most of the sites opt for option (1). > > We would like to clarify on which option we should proceed with. Also, > would like to clarify on any security concerns with regard to above options. > > Appreciate your thoughts. > > > [1] https://wso2.org/jira/browse/IDENTITY-3300 > > Thanks, > Malithi. > -- > > *Malithi Edirisinghe* > Senior Software Engineer > WSO2 Inc. > > Mobile : +94 (0) 718176807 > [email protected] > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://blog.facilelogin.com http://blog.api-security.org
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
