On Fri, Apr 29, 2016 at 8:34 AM, Darshana Gunawardana <darsh...@wso2.com> wrote:
> Hi, > > In which level we should have this option? > > IMO we should let each tenant to pick their own flow. > Yes. That should be the way finally it should work. > > Thanks, > > > On Friday, 29 April 2016, Prabath Siriwardana <prab...@wso2.com> wrote: > >> +1 for both - and I guess our default implementation should use option-2. >> >> Thanks & regards, >> -Prabath >> >> On Thu, Apr 28, 2016 at 7:38 PM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> >>> >>> On Fri, Apr 29, 2016 at 7:57 AM, Malithi Edirisinghe <malit...@wso2.com> >>> wrote: >>> >>>> Hi All, >>>> >>>> Thanks a lot for the inputs. >>>> So ideally I think we should support both options. >>>> >>>> Johann, Prabath, >>>> WDYT? >>>> >>> >>> +1 from me. >>> >>> >>>> >>>> Thanks, >>>> Malithi. >>>> >>>> On Thu, Apr 28, 2016 at 4:43 PM, Dulindra Wijethilake < >>>> dulin...@wso2.com> wrote: >>>> >>>>> >>>>> >>>>> On Thu, Apr 28, 2016 at 4:12 PM, Ayoma Wijethunga <ay...@wso2.com> >>>>> wrote: >>>>> >>>>>> IMO we should use the 2nd approach by default. Please check following >>>>>> OWASP recommendation : >>>>>> >>>>>> Furthermore, since adversaries will try the "forgot password" reset >>>>>>> flow to reset a user's password (especially if they have compromised the >>>>>>> side-channel, such as user's email account or their mobile device where >>>>>>> they receive SMS text messages), is a good practice to minimize >>>>>>> unintended >>>>>>> and unauthorized information disclosure of the security questions. This >>>>>>> may >>>>>>> mean that you require the user to answer one security question before >>>>>>> displaying any subsequent questions to be answered. In this manner, it >>>>>>> does >>>>>>> not allow an adversary an opportunity to research all the questions at >>>>>>> once. Note however that this is contrary to the advice given on the >>>>>>> Forgot >>>>>>> Password Cheat Sheet and it may also be perceived as not being >>>>>>> user-friendly by your sponsoring business unit, so again YMMV. [1] >>>>>> >>>>>> >>>>>> It is true that having multiple screens is not user-friendly, but IMO >>>>>> security aspect is important than being user friendly in such sensitive >>>>>> and >>>>>> infrequently used flow. >>>>>> >>>>>> Also during PCI PA-DSS audits, I have experience where auditors >>>>>> recommend 2nd approach. This is based on section 7 of PCI PA-DSS Guide >>>>>> [2] >>>>>> which is regarding disclosing information on need-to-know basis (even >>>>>> though PCI PA-DSS purely speak about securing cardholder data, which does >>>>>> not include security questions). >>>>>> >>>>> >>>>> Agree with Ayoma. I too have experienced this and have read expert >>>>> opinion on this. Security questions disclosure should be on need-to-know >>>>> basis. >>>>> >>>>>> >>>>>> >>>>>> It is great if we can support both options and allow user to decide >>>>>> what to use. However, IMO default should be the 2nd approach. >>>>>> >>>>>> [1] >>>>>> https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet >>>>>> >>>>>> [2] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf >>>>>> [3] >>>>>> https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html >>>>>> >>>>>> On Thu, Apr 28, 2016 at 3:28 PM, Isura Karunaratne <is...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> On Thu, Apr 28, 2016 at 12:08 PM, Malithi Edirisinghe < >>>>>>> malit...@wso2.com> wrote: >>>>>>> >>>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> I'm working on supporting user information recovery scenarios in IS >>>>>>>> user portal [1]. >>>>>>>> >>>>>>>> While discussing on the user aspects of password recovery with >>>>>>>> security questions, with UX team we came across the below concern. >>>>>>>> >>>>>>>> 1. Should we view all of the security questions chosen by the user, >>>>>>>> from each question set, in the same page >>>>>>>> >>>>>>>> 2. Should we view the question chosen from each question set in a >>>>>>>> separate page, and make the user to go page by page answering each >>>>>>>> question >>>>>>>> >>>>>>>> If we chose option (1) we should be able to verify user answers for >>>>>>>> all the questions in a one step. If all are answered properly we will >>>>>>>> let >>>>>>>> the user to proceed, or else we will notify the user that he has not >>>>>>>> correctly answered to one or more, in the next page. >>>>>>>> If we chose option (2) in each step we will verify the user's >>>>>>>> answer to the question prompted. If the first one is properly answered >>>>>>>> prompt the second question and let him to proceed similarly or else >>>>>>>> break >>>>>>>> the flow. >>>>>>>> >>>>>>>> However, with information recovery service implementation at IS , >>>>>>>> we can only support option (2) at the moment. >>>>>>>> But, as it seems most of the sites opt for option (1). >>>>>>>> >>>>>>>> >>>>>>> Yes. In the currently implementation we can support only option 2. >>>>>>> When we are desiging Identity Management Java API s for IS 5.3.0 >>>>>>> release, >>>>>>> it is better to support java API for both of above scenarios. >>>>>>> >>>>>>> Thanks >>>>>>> Isura >>>>>>> >>>>>>> >>>>>>> We would like to clarify on which option we should proceed with. >>>>>>>> Also, would like to clarify on any security concerns with regard to >>>>>>>> above >>>>>>>> options. >>>>>>>> >>>>>>>> Appreciate your thoughts. >>>>>>>> >>>>>>>> >>>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-3300 >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Malithi. >>>>>>>> -- >>>>>>>> >>>>>>>> *Malithi Edirisinghe* >>>>>>>> Senior Software Engineer >>>>>>>> WSO2 Inc. >>>>>>>> >>>>>>>> Mobile : +94 (0) 718176807 >>>>>>>> malit...@wso2.com >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Isura Dilhara Karunaratne >>>>>>> Senior Software Engineer >>>>>>> >>>>>>> Mob +94 772 254 810 >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ayoma Wijethunga >>>>>> Software Engineer >>>>>> WSO2, Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>>>> Blog : http://www.ayomaonline.com >>>>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Dulindra Wijethilake >>>>> Senior Product Manager >>>>> WSO2, Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> mobile- +94 71 312 0005 >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> *Malithi Edirisinghe* >>>> Senior Software Engineer >>>> WSO2 Inc. >>>> >>>> Mobile : +94 (0) 718176807 >>>> malit...@wso2.com >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://blog.facilelogin.com >> http://blog.api-security.org >> > > > -- > Regards, > > > *Darshana Gunawardana*Senior Software Engineer > WSO2 Inc.; http://wso2.com > > *E-mail: darsh...@wso2.com <darsh...@wso2.com>* > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev