This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Forgot Password Cheat Sheet"
| Line 10: | Line 10: | ||
I know it is mentioned there, but it is mentioned as a 'do this after they fail to answer the questions', only if they fail. There is nothing in that that suggests the secret questions are/could/should be optional. I was going to refer to this as a resource for how to securely implement forgot password functionality, but I don't feel it accurately represents best practice in 2017. | I know it is mentioned there, but it is mentioned as a 'do this after they fail to answer the questions', only if they fail. There is nothing in that that suggests the secret questions are/could/should be optional. I was going to refer to this as a resource for how to securely implement forgot password functionality, but I don't feel it accurately represents best practice in 2017. | ||
| + | |||
| + | - Glenn 'devalias' Grant (Sept 15, 2017) | ||
Revision as of 05:43, 15 September 2017
Secret Questions
Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.
- Glenn 'devalias' Grant (Sept 14, 2017)
Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.
- Jim Manico (Sept 14, 2017)
I know it is mentioned there, but it is mentioned as a 'do this after they fail to answer the questions', only if they fail. There is nothing in that that suggests the secret questions are/could/should be optional. I was going to refer to this as a resource for how to securely implement forgot password functionality, but I don't feel it accurately represents best practice in 2017.
- Glenn 'devalias' Grant (Sept 15, 2017)
