Difference between revisions of "Talk:Forgot Password Cheat Sheet"

Revision as of 02:43, 15 September 2017

Secret Questions

Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.

- Glenn 'devalias' Grant (Sept 14, 2017)

Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.

- Jim Manico (Sept 14, 2017)

@@ Line 5: / Line 5: @@
 - Glenn 'devalias' Grant (Sept 14, 2017)
-== Logging ==
+Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.
-I'm surprised to see that logging isn't a consideration in password reset functionality.  Knowing that users attempted a password reset, whether the reset was successful or failed, recording details of reset sessions including IP address and other details would all seem like great suggestions.
+- Jim Manico (Sept 14, 2017)
-== More on Logging ==
-I think adding logging info like you described is a good idea. Go ahead and add it in!
-- Jim Manico Sept 2, 2015

Difference between revisions of "Talk:Forgot Password Cheat Sheet"

Revision as of 02:43, 15 September 2017

Secret Questions

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools