Make security question optional for password resets

[Mayeu]

Hello,

First, I would like to thank you for the great software! We are starting to test it as it fill our need perfectly. Also, great documentations on how to get started :+1:

I am wondering if you plan to add an option to deactivate the security question feature?

Thanks for your help.

[aebruno]

Thanks for the feedback! I was planning on adding a config option to not require the security question on login. Is that what you're interested in? or did you want to completely deactivate setting the security question all together?

[Mayeu]

Our use case would be to completly deactivate the security question.

So, for example, the workflow to reset the password would become:

• Ask for reset with the username
• Check the link in the email received
• Reset the password

[aebruno]

OK I've added this as a feature request. Should be straightforward to add in.

[Mayeu]

That's awesome to hear :) I will gladly help you test this!

[aebruno]

This will be included in the next release. If you're able to build from the latest master feel free to test out. Thanks!

[Mayeu]

Thank you for the quick update :)

I compiled & tried it and the reset does indeed not require the answer (but the view still asked for it). But it seems that registering an account still require to set a security question, while it is not used during pwreset.

I tried to poke around the go code following the example of your code, but I am no go developer and I did not succeed in deactivating the need for security questions on account creation.

Just to clarify, in my comment, I use the pwreset workflow as an example, but I would like to be able to completely deactivate the need for the security question :)

[aebruno]

I compiled & tried it and the reset does indeed not require the answer (but the view still asked for it).

You will also need to copy out the new template if you have previously installed mokey system wide:

$ sudo cp templates/reset-password.html /usr/share/mokey/templates/reset-password.html

My guess is that you're still using the old template. To check if you're using the new template, check for these changes

But it seems that registering an account still require to set a security question, while it is not used during pwreset.

I'm inclined to leave this in place. Here's my thinking.. the security question is used for:

1. Logging in (if TOTP is not set)
2. Resetting the password

Site administrators can turn off both of these features effectively disabling the security question. However, requiring the user to set the security question on account creation allows the site admin the flexibility to enable them in the future without putting too much burden on the user. Completely removing the security question feels like it would be making mokey less secure in general.

[Mayeu]

Thank you for detailing your vision about the security question. In the technical context (i.e., migrating from no question ask to a question ask) I agree that it makes sense to anyway ask that during the sign up.

While I fundamentally disagree on the fact that the security question is actually really improving the security of a system, I believe that I could live and still use Mokey with the ability to deactivate the question in during login and password reset.

I'll keep an eye on the development, and I'll be sure to try out the feature when added :)

[Mayeu]

(ha, I just realised there is already an option to deactivate the question on login, I missed that previous commit :), going to give it a try)

[Mayeu]

I just gave a full try to the current master, and everything is good for me :+1:

BTW, we are using FreeIPA 4.3 on Ubuntu 16.04, and Mokey works great there :)

[aebruno]

Great! Thanks for testing.