You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Atul Vani (JIRA)" <ji...@apache.org> on 2013/07/05 06:53:49 UTC
[jira] [Comment Edited] (OFBIZ-4983) New feature to reclaim a user
account - Using Security Questions
[ https://issues.apache.org/jira/browse/OFBIZ-4983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13699769#comment-13699769 ]
Atul Vani edited comment on OFBIZ-4983 at 7/5/13 4:52 AM:
----------------------------------------------------------
I thought the two patterns are entirely different:
1. One is to prove your genuineness by confirming your access to the EMAIL ADDRESS associated with the account, by clicking a UNIQUE (containing ENCRYPTED TOKEN) link emailed to you. And then reset the password.
2. Another method is to prove your genuineness by answering the SECURITY QUESTIONS specified at the time on account creation, and then reset the password. NO email access required.
Here are a few examples of the first one: http://www.quora.com/UI-UX-Design-Patterns/What-are-great-examples-of-a-forgot-password-UX-UI-pattern
Reads for the second one, which do not mention involvement of the email address and the token: http://www.goodsecurityquestions.com/
A quote from wikipedia, which suggest that the process are mutually exclusive:
{quote}Users establish their identity, without using their forgotten or disabled password, >>by answering a series of personal questions,<< using a hardware authentication token, >>responding to a password notification e-mail or,<< less often, by providing a biometric sample. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.{quote}
http://en.wikipedia.org/wiki/Self-service_password_reset
And the reset password page of gmail:
Password help for *********gmail.com
Get a verification code on my phone: *************
Confirm access to my recovery email: *********yahoo.com
>>Can't access any of these recovery options? Verify your identity by answering multiple questions about your account.<<
These all suggest, that when you opt for security questions, you are not supposed to prove your access to the email associated. You are just presented with the reset password page, if the answers are correct.
was (Author: atulvani):
I thought the two patterns are entirely different:
1. One is to prove your access to your email, and reset the password using a LINK which contains an encrypted TOKEN.
2. Another method is to answer some SECURITY QUESTIONS, and reset the password. No email access required.
Here are a few examples of the first one: http://www.quora.com/UI-UX-Design-Patterns/What-are-great-examples-of-a-forgot-password-UX-UI-pattern
Reads for the second one, which do not mention involvement of the email address and the token: http://www.goodsecurityquestions.com/
A quote from wikipedia, which suggest that the process are mutually exclusive:
{quote}Users establish their identity, without using their forgotten or disabled password, >>by answering a series of personal questions,<< using a hardware authentication token, >>responding to a password notification e-mail or,<< less often, by providing a biometric sample. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.{quote}
http://en.wikipedia.org/wiki/Self-service_password_reset
And the reset password page of gmail:
Password help for *********gmail.com
Get a verification code on my phone: *************
Confirm access to my recovery email: *********yahoo.com
>>Can't access any of these recovery options? Verify your identity by answering multiple questions about your account.<<
These all suggest, that when you opt for security questions, you are not supposed to prove your access to the email associated. You are just presented with the reset password page, if the answers are correct.
> New feature to reclaim a user account - Using Security Questions
> ----------------------------------------------------------------
>
> Key: OFBIZ-4983
> URL: https://issues.apache.org/jira/browse/OFBIZ-4983
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Harsha Chadhar
> Assignee: Jacques Le Roux
> Fix For: SVN trunk
>
> Attachments: 1.png, 2.png, 3.png, 4.png, 5.png, email received in French though the language was English.png, no username.png, OFBIZ-4983.patch, OFBIZ-4983.patch, OFBIZ-4983.patch, username was empty reenter.png, WithOutSecurityQuestionSet.JPG, WithSecurityQuestionSet.JPG
>
>
> *Referring to Vikas's proposed model on Reclaiming User Account using security questions as follows :*
> "When a customer create an account on eCommerce site, he will also
> need to answer few security questions. We can enforce restriction on
> the minimum number of questions that must be answered by a user before
> creating his profile successfully, through some configurations which
> are discussed in the next section. These security questions then can
> be used to reclaim the customer account in case he forget his
> password. User can also be given a choice to add his own custom
> questions and this would be enable/disabled again through some
> configurations.
> If the user correctly answer minimum required questions while
> reclaiming his account, password will be send through email
> notifications. This part would work in the same way as the existing
> functionality of email password (forget password)."
> We would probably need the screens to configures
> 1) Security Question in the system.
> These questions will be called as Standard security questions and can
> only be entered by an admin (or a person with similar sort of
> privileges). These questions will be available to every user who
> create or update his profile.
> 2) Giving user an option to create his own custom security questions.
> A configuration/property that would determine whether this option is
> available to the user or not. These questions will be called as Custom
> security questions and can entered only by a user while creating or
> updating a profile. These questions will be available and applicable
> only to the owner of the questions, i.e the user who create these
> questions.
> 3) Minimum number of questions that are required to answer.
> This configuration/property would determine minimum number of
> questions that a user must answer while creating an account and as
> well as reclaiming an account.
> I think we can save above (#1, #2) configuration in database and
> provide screens to configure them. IMO, these configuration can be
> also called as a security configuration, since they are some how
> related to security.
> At this moment I have not much idea about where these sort of
> configuration should be saved but this could be part of the entity
> that saves the security configurations (which does not exist at this
> moment). In recent days certain properties are moved to entities and
> this could certainly be the done with security properties at certain
> point of time, until then these configuration can be kept under
> security properties file.
> Custom Data Model:
> The new entities that would be required for this feature are following
> (Scott did help in improving the data model few months back):
> SecurityQuestion: Security Question in the system. These questions can
> be standard (added by admin and are visible/available to every new
> user while creating a new account) as well as custom questions (added
> by a user). We can differentiate between the type of questions using
> questionTypeEnumId (STANDARD or CUSTOM) as defined in the data model
> below.
> PartySecurityQuestion: All the questions that are related to a User.
> They can be mix of both Standard as well as Custom.
> UserLoginSecurityQuestion: An entity to capture the answer of the
> security question and tying it to a UserLogin very much like a
> UserLoginSecurityGroup. When a User reclaim his account, the question
> answered by this user would be matched with the answer of the
> questions (corresponding to that user) in this entity.
> <entity entity-name="SecurityQuestion" package-
> name="org.ofbiz.security.login">
> <field name="questionId" type="id-ne"></field>
> <field name="questionTypeEnumId" type="id-ne"></field>
> <field name="question" type="very-long" ></field>
> <prim-key field="questionId"/>
> <relation rel-entity-name="Enumeration" type="one" fk-
> name="SECQ_ENUM" title="QuestionType">
> <key-map field-name="questionTypeEnumId" rel-field-
> name="enumId"/>
> </relation>
> </entity>
> <entity entity-name="PartySecurityQuestion" package-
> name="org.ofbiz.security.login">
> <field name="questionId" type="id-ne"></field>
> <field name="partyId" type="id-ne"></field>
> <prim-key field="questionId"/>
> <prim-key field="partyId"/>
> <relation rel-entity-name="SecurityQuestion" type="one" fk-
> name="PTYSECQ_SECQ">
> <key-map field-name="questionId"/>
> </relation>
> <relation type="one" rel-entity-name="Party" fk-
> name="PTYSECQ_PTY">
> <key-map field-name="partyId"/>
> </relation>
> </entity>
> <entity entity-name="UserLoginSecurityQuestion" package-
> name="org.ofbiz.security.login">
> <field name="questionId" type="id-ne"></field>
> <field name="userLoginId" type="id-vlong-ne"></field>
> <field name="question" type="very-long"></field>
> <field name="answer" type="short-varchar"></field>
> <prim-key field="questionId"/>
> <prim-key field="userLoginId"/>
> <relation rel-entity-name="SecurityQuestion" type="one" fk-
> name="ULGNSECQ_SECQ">
> <key-map field-name="questionId"/>
> </relation>
> <relation rel-entity-name="UserLogin" type="one" fk-
> name="ULGNSECQ_ULGN">
> <key-map field-name="userLoginId"/>
> </relation>
> </entity>
> </entitymodel>
> *As per David's Comments :*
> This looks like a great enhancement and this write-up is well thought
> out. Thanks for sharing it and soliciting feedback.
> About the data model, I'd recommend leaving out the
> PartySecurityQuestion entity. It introduces a dependency on the Party
> entity which is in a higher level component, and it appears that the
> UserLoginSecurityQuestion entity is adequate and since authentication
> is a UserLogin thing (and not a Party thing) it is better and makes
> more sense there anyway.
> -David
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira