Hi Ishara, Since challenge questions themselves are insecure, customers will not use only that feature in a production system. So IMO it is not a 'good to have' option even.
When I tried to reset my salesfroce password yesterday, they emailed me a link and it took me to a page with my security questions. So it was an *email + security questions* solution. But my guess is they might be using an existing security questions feature of them. In our case, we have still not implemented it. So I'm -1 for implementing challenge questions. On Wed, Jan 18, 2017 at 11:41 PM, Ishara Karunarathna <[email protected]> wrote: > > > On Wed, Jan 18, 2017 at 11:17 PM, Nuwan Dias <[email protected]> wrote: > >> >> >> On Wed, Jan 18, 2017 at 11:12 PM, Ishara Karunarathna <[email protected]> >> wrote: >> >>> Hi All, >>> >>> Though challenge question is not secure mechanism this is a basic stuff >>> client expect from an IAM solution. >>> And having another recovery mechanism with this can help to make it >>> strong as well. >>> >>> So I'm still doubt on dropping this. And if we are completely dropping >>> this. We should have first class support for other >>> recovery mechanisms and well documented on this. >>> >> >> That's the idea right? I was under the impression that we will at least >> have an email based recovery mechanism in place. If we're saying challenge >> questions are our primary mode of account recovery, that's not right IMO. >> AFAIS, challenge questions are 'good to have' and email recovery is 'must >> have'. >> > Yes challenge question should not be a primary mechanism. But still its > better to be available in the product. > >> >>> -Ishara >>> >>> On Wed, Jan 18, 2017 at 6:21 PM, Danushka Fernando <[email protected]> >>> wrote: >>> >>>> If everyone had it in past and no longer using it, big +1 for removing >>>> it. Only concern is about existing customers. If we can explain the >>>> rationale behind removing it we are in clear I guess. >>>> >>>> @Sewmini >>>> Yes there is a reviewed user story for this. But when we discuss about >>>> some implementation details today, we realized that lot of people had this >>>> and removed this due to vulnerabilities in it. Hence Indunil started this >>>> discussion. >>>> >>>> Thanks & Regards >>>> Danushka Fernando >>>> Senior Software Engineer >>>> WSO2 inc. http://wso2.com/ >>>> Mobile : +94716332729 <+94%2071%20633%202729> >>>> >>>> >>>> >>>> On Jan 18, 2017 6:04 PM, "KasunG Gajasinghe" <[email protected]> wrote: >>>> >>>>> >>>>> Security questions are a thing of the past. Google, Facebook they all >>>>> have removed the security questions based password recovery mechanisms. >>>>> [1] >>>>> [2] So, +1 to drop this support in IS 6. >>>>> >>>>> [1] http://googlesystem.blogspot.com/2014/12/google-drops-su >>>>> pport-for-security.html >>>>> [2] https://www.facebook.com/help/community/question/?id=815 >>>>> 382261879187 >>>>> >>>>> On Wed, Jan 18, 2017 at 5:37 PM, Nuwan Dias <[email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Currently we are working on implementing C5 user portal in IS. >>>>>>> Appreciate your suggestions/ideas for the following concerns regarding >>>>>>> challenge questions. >>>>>>> >>>>>>> *1) Is it necessary to include challenge questions in IS 6.0.0 as a >>>>>>> recovery option?* >>>>>>> Seems like secret questions are neither secure nor reliable enough >>>>>>> to be used as a account recovery mechanism. And also most of the vendors >>>>>>> has completely removed support for security questions including google. >>>>>>> In >>>>>>> C5, security question sets will be some what strengthen the recovery and >>>>>>> makes it hard to guess the questions. But seems like need to consider >>>>>>> whether it need to be implemented or not. >>>>>>> >>>>>> >>>>>> I personally have never used a security question to recover any of >>>>>> the accounts of which I forgot passwords. Its always a recovery through >>>>>> email or mobile. Therefore I don't see this as a valuable feature. >>>>>> >>>>>>> >>>>>>> *2) Is it necessary to include security questions in user self >>>>>>> sign-up page? If needed, following way is appropriate?* >>>>>>> As we have planned, in C5, admin can create several security >>>>>>> question sets and can configure the minimum number of questions that >>>>>>> need >>>>>>> to be answered by a user. So that in self sign up UI when populating >>>>>>> security questions to a user, >>>>>>> >>>>>>> - security questions need to be categorized according to the >>>>>>> security question sets >>>>>>> - all the sets need to be populated for the user >>>>>>> - user can select any number of security questions from >>>>>>> different sets not from a same set >>>>>>> - need to validate whether the user has answered for the minimum >>>>>>> number of questions >>>>>>> >>>>>>> When an answer to a question is personal, the question itself is >>>>>> probably personal too. Therefore I don't think an admin can decide on >>>>>> what >>>>>> questions to be asked from you. Its unlikely you'll remember an answer >>>>>> to a >>>>>> question which is not very relevant to you. If we're doing this (I'm >>>>>> negative on implementing the feature itself too :)), I think we should >>>>>> let >>>>>> the user decide his own questions and answers. >>>>>> >>>>>> >>>>>>> Appreciate your ideas on this. >>>>>>> >>>>>>> Thanks and Regards >>>>>>> -- >>>>>>> Indunil Upeksha Rathnayake >>>>>>> Software Engineer | WSO2 Inc >>>>>>> Email [email protected] >>>>>>> Mobile 0772182255 <077%20218%202255> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> [email protected] >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nuwan Dias >>>>>> >>>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>>> email : [email protected] >>>>>> Phone : +94 777 775 729 <077%20777%205729> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>> email: kasung AT spamfree wso2.com >>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>> blog: http://kasunbg.org >>>>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Associate Technical Lead >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>> +94717996791 <+94%2071%20799%206791> >>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Nuwan Dias >> >> Software Architect - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 <+94%2077%20777%205729> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: > +94717996791 <+94%2071%20799%206791> > > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94775615183
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
