IMO we should use the 2nd approach by default. Please check following OWASP recommendation :
Furthermore, since adversaries will try the "forgot password" reset flow to > reset a user's password (especially if they have compromised the > side-channel, such as user's email account or their mobile device where > they receive SMS text messages), is a good practice to minimize unintended > and unauthorized information disclosure of the security questions. This may > mean that you require the user to answer one security question before > displaying any subsequent questions to be answered. In this manner, it does > not allow an adversary an opportunity to research all the questions at > once. Note however that this is contrary to the advice given on the Forgot > Password Cheat Sheet and it may also be perceived as not being > user-friendly by your sponsoring business unit, so again YMMV. [1] It is true that having multiple screens is not user-friendly, but IMO security aspect is important than being user friendly in such sensitive and infrequently used flow. Also during PCI PA-DSS audits, I have experience where auditors recommend 2nd approach. This is based on section 7 of PCI PA-DSS Guide [2] which is regarding disclosing information on need-to-know basis (even though PCI PA-DSS purely speak about securing cardholder data, which does not include security questions). It is great if we can support both options and allow user to decide what to use. However, IMO default should be the 2nd approach. [1] https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet [2] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf [3] https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html On Thu, Apr 28, 2016 at 3:28 PM, Isura Karunaratne <is...@wso2.com> wrote: > Hi all, > > On Thu, Apr 28, 2016 at 12:08 PM, Malithi Edirisinghe <malit...@wso2.com> > wrote: > >> >> Hi All, >> >> I'm working on supporting user information recovery scenarios in IS user >> portal [1]. >> >> While discussing on the user aspects of password recovery with security >> questions, with UX team we came across the below concern. >> >> 1. Should we view all of the security questions chosen by the user, from >> each question set, in the same page >> >> 2. Should we view the question chosen from each question set in a >> separate page, and make the user to go page by page answering each question >> >> If we chose option (1) we should be able to verify user answers for all >> the questions in a one step. If all are answered properly we will let the >> user to proceed, or else we will notify the user that he has not correctly >> answered to one or more, in the next page. >> If we chose option (2) in each step we will verify the user's answer to >> the question prompted. If the first one is properly answered prompt the >> second question and let him to proceed similarly or else break the flow. >> >> However, with information recovery service implementation at IS , we can >> only support option (2) at the moment. >> But, as it seems most of the sites opt for option (1). >> >> > Yes. In the currently implementation we can support only option 2. When we > are desiging Identity Management Java API s for IS 5.3.0 release, it is > better to support java API for both of above scenarios. > > Thanks > Isura > > > We would like to clarify on which option we should proceed with. Also, >> would like to clarify on any security concerns with regard to above options. >> >> Appreciate your thoughts. >> >> >> [1] https://wso2.org/jira/browse/IDENTITY-3300 >> >> Thanks, >> Malithi. >> -- >> >> *Malithi Edirisinghe* >> Senior Software Engineer >> WSO2 Inc. >> >> Mobile : +94 (0) 718176807 >> malit...@wso2.com >> > > > > -- > Isura Dilhara Karunaratne > Senior Software Engineer > > Mob +94 772 254 810 > > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ayoma Wijethunga Software Engineer WSO2, Inc.; http://wso2.com lean.enterprise.middleware Mobile : +94 (0) 719428123 <+94+(0)+719428123> Blog : http://www.ayomaonline.com LinkedIn: https://www.linkedin.com/in/ayoma
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
