+1 for both - and I guess our default implementation should use option-2. Thanks & regards, -Prabath
On Thu, Apr 28, 2016 at 7:38 PM, Johann Nallathamby <joh...@wso2.com> wrote: > > > On Fri, Apr 29, 2016 at 7:57 AM, Malithi Edirisinghe <malit...@wso2.com> > wrote: > >> Hi All, >> >> Thanks a lot for the inputs. >> So ideally I think we should support both options. >> >> Johann, Prabath, >> WDYT? >> > > +1 from me. > > >> >> Thanks, >> Malithi. >> >> On Thu, Apr 28, 2016 at 4:43 PM, Dulindra Wijethilake <dulin...@wso2.com> >> wrote: >> >>> >>> >>> On Thu, Apr 28, 2016 at 4:12 PM, Ayoma Wijethunga <ay...@wso2.com> >>> wrote: >>> >>>> IMO we should use the 2nd approach by default. Please check following >>>> OWASP recommendation : >>>> >>>> Furthermore, since adversaries will try the "forgot password" reset >>>>> flow to reset a user's password (especially if they have compromised the >>>>> side-channel, such as user's email account or their mobile device where >>>>> they receive SMS text messages), is a good practice to minimize unintended >>>>> and unauthorized information disclosure of the security questions. This >>>>> may >>>>> mean that you require the user to answer one security question before >>>>> displaying any subsequent questions to be answered. In this manner, it >>>>> does >>>>> not allow an adversary an opportunity to research all the questions at >>>>> once. Note however that this is contrary to the advice given on the Forgot >>>>> Password Cheat Sheet and it may also be perceived as not being >>>>> user-friendly by your sponsoring business unit, so again YMMV. [1] >>>> >>>> >>>> It is true that having multiple screens is not user-friendly, but IMO >>>> security aspect is important than being user friendly in such sensitive and >>>> infrequently used flow. >>>> >>>> Also during PCI PA-DSS audits, I have experience where auditors >>>> recommend 2nd approach. This is based on section 7 of PCI PA-DSS Guide [2] >>>> which is regarding disclosing information on need-to-know basis (even >>>> though PCI PA-DSS purely speak about securing cardholder data, which does >>>> not include security questions). >>>> >>> >>> Agree with Ayoma. I too have experienced this and have read expert >>> opinion on this. Security questions disclosure should be on need-to-know >>> basis. >>> >>>> >>>> >>>> It is great if we can support both options and allow user to decide >>>> what to use. However, IMO default should be the 2nd approach. >>>> >>>> [1] >>>> https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet >>>> >>>> [2] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf >>>> [3] >>>> https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html >>>> >>>> On Thu, Apr 28, 2016 at 3:28 PM, Isura Karunaratne <is...@wso2.com> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> On Thu, Apr 28, 2016 at 12:08 PM, Malithi Edirisinghe < >>>>> malit...@wso2.com> wrote: >>>>> >>>>>> >>>>>> Hi All, >>>>>> >>>>>> I'm working on supporting user information recovery scenarios in IS >>>>>> user portal [1]. >>>>>> >>>>>> While discussing on the user aspects of password recovery with >>>>>> security questions, with UX team we came across the below concern. >>>>>> >>>>>> 1. Should we view all of the security questions chosen by the user, >>>>>> from each question set, in the same page >>>>>> >>>>>> 2. Should we view the question chosen from each question set in a >>>>>> separate page, and make the user to go page by page answering each >>>>>> question >>>>>> >>>>>> If we chose option (1) we should be able to verify user answers for >>>>>> all the questions in a one step. If all are answered properly we will let >>>>>> the user to proceed, or else we will notify the user that he has not >>>>>> correctly answered to one or more, in the next page. >>>>>> If we chose option (2) in each step we will verify the user's answer >>>>>> to the question prompted. If the first one is properly answered prompt >>>>>> the >>>>>> second question and let him to proceed similarly or else break the flow. >>>>>> >>>>>> However, with information recovery service implementation at IS , we >>>>>> can only support option (2) at the moment. >>>>>> But, as it seems most of the sites opt for option (1). >>>>>> >>>>>> >>>>> Yes. In the currently implementation we can support only option 2. >>>>> When we are desiging Identity Management Java API s for IS 5.3.0 release, >>>>> it is better to support java API for both of above scenarios. >>>>> >>>>> Thanks >>>>> Isura >>>>> >>>>> >>>>> We would like to clarify on which option we should proceed with. Also, >>>>>> would like to clarify on any security concerns with regard to above >>>>>> options. >>>>>> >>>>>> Appreciate your thoughts. >>>>>> >>>>>> >>>>>> [1] https://wso2.org/jira/browse/IDENTITY-3300 >>>>>> >>>>>> Thanks, >>>>>> Malithi. >>>>>> -- >>>>>> >>>>>> *Malithi Edirisinghe* >>>>>> Senior Software Engineer >>>>>> WSO2 Inc. >>>>>> >>>>>> Mobile : +94 (0) 718176807 >>>>>> malit...@wso2.com >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Isura Dilhara Karunaratne >>>>> Senior Software Engineer >>>>> >>>>> Mob +94 772 254 810 >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ayoma Wijethunga >>>> Software Engineer >>>> WSO2, Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>> Blog : http://www.ayomaonline.com >>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Dulindra Wijethilake >>> Senior Product Manager >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> mobile- +94 71 312 0005 >>> >> >> >> >> -- >> >> *Malithi Edirisinghe* >> Senior Software Engineer >> WSO2 Inc. >> >> Mobile : +94 (0) 718176807 >> malit...@wso2.com >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://blog.facilelogin.com http://blog.api-security.org
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev