On Wed, Jan 18, 2017 at 5:10 PM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote:
> Hi, > > Currently we are working on implementing C5 user portal in IS. Appreciate > your suggestions/ideas for the following concerns regarding challenge > questions. > > *1) Is it necessary to include challenge questions in IS 6.0.0 as a > recovery option?* > Seems like secret questions are neither secure nor reliable enough to be > used as a account recovery mechanism. And also most of the vendors has > completely removed support for security questions including google. In C5, > security question sets will be some what strengthen the recovery and makes > it hard to guess the questions. But seems like need to consider whether it > need to be implemented or not. > I personally have never used a security question to recover any of the accounts of which I forgot passwords. Its always a recovery through email or mobile. Therefore I don't see this as a valuable feature. > > *2) Is it necessary to include security questions in user self sign-up > page? If needed, following way is appropriate?* > As we have planned, in C5, admin can create several security question sets > and can configure the minimum number of questions that need to be answered > by a user. So that in self sign up UI when populating security questions to > a user, > > - security questions need to be categorized according to the security > question sets > - all the sets need to be populated for the user > - user can select any number of security questions from different sets > not from a same set > - need to validate whether the user has answered for the minimum > number of questions > > When an answer to a question is personal, the question itself is probably personal too. Therefore I don't think an admin can decide on what questions to be asked from you. Its unlikely you'll remember an answer to a question which is not very relevant to you. If we're doing this (I'm negative on implementing the feature itself too :)), I think we should let the user decide his own questions and answers. > Appreciate your ideas on this. > > Thanks and Regards > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Email indu...@wso2.com > Mobile 0772182255 > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev