New approach for security questions to just 1 and set limit for attempts - Githubissues

opencrvs / opencrvs-core

A global solution to civil registration

https://www.opencrvs.org

Other

85 stars 67 forks source link

New approach for security questions to just 1 and set limit for attempts #5635

Open jpye-finch opened 1 year ago

jpye-finch commented 1 year ago

Description

reduces number of security questions to 1
sets limit of attempts to 3? when resetting password or username reminder request
prompts user to contact system admin if no attempts.
WE PROMPT THE USER TO 2FA. SMS OR EMAIL. DO WE NEED SECURITY QUESTIONS?! No modern app i use has them.

Acceptance criteria

GIVEN WHEN THEN

Design

Onboarding https://www.figma.com/file/O6PevbBv0lApmXWYotR8sf/OpenCRVS-Design-Specifications-v2?type=design&node-id=17445%3A127879&mode=design&t=YY0hCqGcnrt2zH9l-1

Password reset https://www.figma.com/file/O6PevbBv0lApmXWYotR8sf/OpenCRVS-Design-Specifications-v2?type=design&node-id=17445%3A128158&mode=design&t=YY0hCqGcnrt2zH9l-1

Dev tasks

[ ] Task 1

euanmillar commented 10 months ago

@jpye-finch I think this is a feature request. If you can propose how we could entirely deprecate sec. questions it would be great

eduffus commented 8 months ago

I think moving from security questions to full 2FA by default would be more consistent with modern security approaches.

rikukissa commented 3 months ago

Agreed. Security questions are effectively a second password which we know to be a weak form of authentication.