I agree with Jacques and Nicolas - remove it. Security is only as good as its weakest link ( https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html) , and security questions can be a real weakness. Any organisation using OFBiz that really hates passwords could look at security keys from Yubico or the like.
Cheers Paul Foxworthy On Tue, 1 Oct 2019 at 03:29, Nicolas Malin <[email protected]> wrote: > I lean in remove it, it's not a functionality really up to date with > code complexity for a few 'most valuable'. > > Nicolas > > On 9/29/19 11:08 AM, Jacques Le Roux wrote: > > Le 26/09/2019 à 11:47, Jacques Le Roux a écrit : > >> Hi, > >> > >> Below is a summary of the situation, you can refer to the Jira issues > >> comments for more information. > >> > >> With OFBIZ-4983 and r1716915, basically a feature was implemented to > >> allow an eCommerce customer to create a security question while > >> creating his/her account. The user could then answer the security > >> question to get his/her password through email. > >> > >> This feature was partly removed while fixing OFBIZ-4361, where > >> basically a JWT is used to safely ask for a new password through and > >> email > >> > >> With OFBIZ-11206 patch it's possible to create a security question > >> but only in partymgr. When used from "forgot your password" feature, > >> if you have also set a password hint, you get on screen the value of > >> your password hint. > >> > >> As I wrote in OFBIZ-11206: > >> > >> /"I wonder if it makes sense to keep this feature as is. It seems > >> convoluted to me. Why ask a question to get a password hint? // > >> //It seems a lot to remember:/ > >> > >> // > >> > >> 1. /The choice of the security question/ > >> 2. /The answer to this security question/ > >> 3. /The relation between the password hint and the password itself/ > >> > >> // > >> > >> /I see only a good thing in this feature: you don't have to change > >> your password. But sincerely do we really need a such feature? I > >> finally think > >> than rather fixing the current state we should remove the feature > >> all together. IMO, the password link in an email done a safe way is > >> enough. // > >> / > >> > >> /The point to keep in mind is that OOTB all OFBiz users must have > >> an email, apart anonymous which have no passwords anyway."/ > >> > >> So, as suggested Nicolas, either we > >> > >> * /"We continue to support this and I will increase coherence of > >> that/ > >> * /We abandon it and I will remove all code linked to this > >> deprecated feature"/ > >> > >> What do you think? > >> > >> Thanks > >> > >> Jacques > >> > >> > > Hi All, > > > > Without answers I'll consider that we don't want to keep the password > > hint stuff. It seems like a duplicate of the now safe emailed password > > change to me. > > > > So I'll remove it in a week > > > > Thanks > > > > Jacques > > > > > -- Coherent Software Australia Pty Ltd PO Box 2773 Cheltenham Vic 3192 Australia Phone: +61 3 9585 6788 Web: http://www.coherentsoftware.com.au/ Email: [email protected]
