[DISCUSSION] (OFBIZ-11206) Edit the user login security question from party profile

> Hi,
>
> Below is a summary of the situation, you can refer to the Jira issues comments for more information.
>
> With  OFBIZ-4983 and r1716915, basically a feature was implemented to allow an eCommerce customer to create a security question while creating
> his/her account. The user could then answer the security question to get his/her password through email.
>
> This feature was partly removed while fixing OFBIZ-4361, where basically a JWT is used to safely ask for a new password through and email
>
> With OFBIZ-11206 patch it's possible to create a security question but only in partymgr. When used from "forgot your password" feature, if you have
> also set a password hint, you get on screen the value of your password hint.
>
> As I wrote in OFBIZ-11206:
>
>    /"I wonder if it makes sense to keep this feature as is. It seems convoluted to me. Why ask a question to get a password hint? //
>    //It seems a lot to remember:/
>
>    //
>
>     1. /The choice of the security question/
>     2. /The answer to this security question/
>     3. /The relation between the password hint and the password itself/
>
>    //
>
>    /I see only a good thing in this feature: you don't have to change your password. But sincerely do we really need a such feature? I finally think
>    than rather fixing the current state we should remove the feature all together. IMO, the password link in an email done a safe way is enough. //
>    /
>
>    /The point to keep in mind is that OOTB all OFBiz users must have an email, apart anonymous which have no passwords anyway."/
>
> So, as suggested Nicolas, either we
>
>      * /"We continue to support this and I will increase coherence of that/
>      * /We abandon it and I will remove all code linked to this deprecated feature"/
>
> What do you think?
>
> Thanks
>
> Jacques
>
>

> Le 26/09/2019 à 11:47, Jacques Le Roux a écrit :
>> Hi,
>>
>> Below is a summary of the situation, you can refer to the Jira issues
>> comments for more information.
>>
>> With  OFBIZ-4983 and r1716915, basically a feature was implemented to
>> allow an eCommerce customer to create a security question while
>> creating his/her account. The user could then answer the security
>> question to get his/her password through email.
>>
>> This feature was partly removed while fixing OFBIZ-4361, where
>> basically a JWT is used to safely ask for a new password through and
>> email
>>
>> With OFBIZ-11206 patch it's possible to create a security question
>> but only in partymgr. When used from "forgot your password" feature,
>> if you have also set a password hint, you get on screen the value of
>> your password hint.
>>
>> As I wrote in OFBIZ-11206:
>>
>>    /"I wonder if it makes sense to keep this feature as is. It seems
>> convoluted to me. Why ask a question to get a password hint? //
>>    //It seems a lot to remember:/
>>
>>    //
>>
>>     1. /The choice of the security question/
>>     2. /The answer to this security question/
>>     3. /The relation between the password hint and the password itself/
>>
>>    //
>>
>>    /I see only a good thing in this feature: you don't have to change
>> your password. But sincerely do we really need a such feature? I
>> finally think
>>    than rather fixing the current state we should remove the feature
>> all together. IMO, the password link in an email done a safe way is
>> enough. //
>>    /
>>
>>    /The point to keep in mind is that OOTB all OFBiz users must have
>> an email, apart anonymous which have no passwords anyway."/
>>
>> So, as suggested Nicolas, either we
>>
>>      * /"We continue to support this and I will increase coherence of
>> that/
>>      * /We abandon it and I will remove all code linked to this
>> deprecated feature"/
>>
>> What do you think?
>>
>> Thanks
>>
>> Jacques
>>
>>
> Hi All,
>
> Without answers I'll consider that we don't want to keep the password
> hint stuff. It seems like a duplicate of the now safe emailed password
> change to me.
>
> So I'll remove it in a week
>
> Thanks
>
> Jacques
>
>

> I lean in remove it, it's not a functionality really up to date with
> code complexity for a few 'most valuable'.
>
> Nicolas
>
> On 9/29/19 11:08 AM, Jacques Le Roux wrote:
> > Le 26/09/2019 à 11:47, Jacques Le Roux a écrit :
> >> Hi,
> >>
> >> Below is a summary of the situation, you can refer to the Jira issues
> >> comments for more information.
> >>
> >> With  OFBIZ-4983 and r1716915, basically a feature was implemented to
> >> allow an eCommerce customer to create a security question while
> >> creating his/her account. The user could then answer the security
> >> question to get his/her password through email.
> >>
> >> This feature was partly removed while fixing OFBIZ-4361, where
> >> basically a JWT is used to safely ask for a new password through and
> >> email
> >>
> >> With OFBIZ-11206 patch it's possible to create a security question
> >> but only in partymgr. When used from "forgot your password" feature,
> >> if you have also set a password hint, you get on screen the value of
> >> your password hint.
> >>
> >> As I wrote in OFBIZ-11206:
> >>
> >>    /"I wonder if it makes sense to keep this feature as is. It seems
> >> convoluted to me. Why ask a question to get a password hint? //
> >>    //It seems a lot to remember:/
> >>
> >>    //
> >>
> >>     1. /The choice of the security question/
> >>     2. /The answer to this security question/
> >>     3. /The relation between the password hint and the password itself/
> >>
> >>    //
> >>
> >>    /I see only a good thing in this feature: you don't have to change
> >> your password. But sincerely do we really need a such feature? I
> >> finally think
> >>    than rather fixing the current state we should remove the feature
> >> all together. IMO, the password link in an email done a safe way is
> >> enough. //
> >>    /
> >>
> >>    /The point to keep in mind is that OOTB all OFBiz users must have
> >> an email, apart anonymous which have no passwords anyway."/
> >>
> >> So, as suggested Nicolas, either we
> >>
> >>      * /"We continue to support this and I will increase coherence of
> >> that/
> >>      * /We abandon it and I will remove all code linked to this
> >> deprecated feature"/
> >>
> >> What do you think?
> >>
> >> Thanks
> >>
> >> Jacques
> >>
> >>
> > Hi All,
> >
> > Without answers I'll consider that we don't want to keep the password
> > hint stuff. It seems like a duplicate of the now safe emailed password
> > change to me.
> >
> > So I'll remove it in a week
> >
> > Thanks
> >
> > Jacques
> >
> >
>

> I agree with Jacques and Nicolas - remove it.
>
> Security is only as good as its weakest link (
> https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html)
> , and security questions can be a real weakness. Any organisation using
> OFBiz that really hates passwords could look at security keys from Yubico
> or the like.
>
> Cheers
>
> Paul Foxworthy
>
> On Tue, 1 Oct 2019 at 03:29, Nicolas Malin <[hidden email]> wrote:
>
>> I lean in remove it, it's not a functionality really up to date with
>> code complexity for a few 'most valuable'.
>>
>> Nicolas
>>
>> On 9/29/19 11:08 AM, Jacques Le Roux wrote:
>>> Le 26/09/2019 à 11:47, Jacques Le Roux a écrit :
>>>> Hi,
>>>>
>>>> Below is a summary of the situation, you can refer to the Jira issues
>>>> comments for more information.
>>>>
>>>> With  OFBIZ-4983 and r1716915, basically a feature was implemented to
>>>> allow an eCommerce customer to create a security question while
>>>> creating his/her account. The user could then answer the security
>>>> question to get his/her password through email.
>>>>
>>>> This feature was partly removed while fixing OFBIZ-4361, where
>>>> basically a JWT is used to safely ask for a new password through and
>>>> email
>>>>
>>>> With OFBIZ-11206 patch it's possible to create a security question
>>>> but only in partymgr. When used from "forgot your password" feature,
>>>> if you have also set a password hint, you get on screen the value of
>>>> your password hint.
>>>>
>>>> As I wrote in OFBIZ-11206:
>>>>
>>>>     /"I wonder if it makes sense to keep this feature as is. It seems
>>>> convoluted to me. Why ask a question to get a password hint? //
>>>>     //It seems a lot to remember:/
>>>>
>>>>     //
>>>>
>>>>      1. /The choice of the security question/
>>>>      2. /The answer to this security question/
>>>>      3. /The relation between the password hint and the password itself/
>>>>
>>>>     //
>>>>
>>>>     /I see only a good thing in this feature: you don't have to change
>>>> your password. But sincerely do we really need a such feature? I
>>>> finally think
>>>>     than rather fixing the current state we should remove the feature
>>>> all together. IMO, the password link in an email done a safe way is
>>>> enough. //
>>>>     /
>>>>
>>>>     /The point to keep in mind is that OOTB all OFBiz users must have
>>>> an email, apart anonymous which have no passwords anyway."/
>>>>
>>>> So, as suggested Nicolas, either we
>>>>
>>>>       * /"We continue to support this and I will increase coherence of
>>>> that/
>>>>       * /We abandon it and I will remove all code linked to this
>>>> deprecated feature"/
>>>>
>>>> What do you think?
>>>>
>>>> Thanks
>>>>
>>>> Jacques
>>>>
>>>>
>>> Hi All,
>>>
>>> Without answers I'll consider that we don't want to keep the password
>>> hint stuff. It seems like a duplicate of the now safe emailed password
>>> change to me.
>>>
>>> So I'll remove it in a week
>>>
>>> Thanks
>>>
>>> Jacques
>>>
>>>
>

> Thanks Paul,
>
> Very good points indeed
>
> Jacques
>
> Le 07/10/2019 à 02:59, Paul Foxworthy a écrit :
>> I agree with Jacques and Nicolas - remove it.
>>
>> Security is only as good as its weakest link (
>> https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html)
>> , and security questions can be a real weakness. Any organisation using
>> OFBiz that really hates passwords could look at security keys from Yubico
>> or the like.
>>
>> Cheers
>>
>> Paul Foxworthy
>>
>> On Tue, 1 Oct 2019 at 03:29, Nicolas Malin <[hidden email]> wrote:
>>
>>> I lean in remove it, it's not a functionality really up to date with
>>> code complexity for a few 'most valuable'.
>>>
>>> Nicolas
>>>
>>> On 9/29/19 11:08 AM, Jacques Le Roux wrote:
>>>> Le 26/09/2019 à 11:47, Jacques Le Roux a écrit :
>>>>> Hi,
>>>>>
>>>>> Below is a summary of the situation, you can refer to the Jira issues
>>>>> comments for more information.
>>>>>
>>>>> With  OFBIZ-4983 and r1716915, basically a feature was implemented to
>>>>> allow an eCommerce customer to create a security question while
>>>>> creating his/her account. The user could then answer the security
>>>>> question to get his/her password through email.
>>>>>
>>>>> This feature was partly removed while fixing OFBIZ-4361, where
>>>>> basically a JWT is used to safely ask for a new password through and
>>>>> email
>>>>>
>>>>> With OFBIZ-11206 patch it's possible to create a security question
>>>>> but only in partymgr. When used from "forgot your password" feature,
>>>>> if you have also set a password hint, you get on screen the value of
>>>>> your password hint.
>>>>>
>>>>> As I wrote in OFBIZ-11206:
>>>>>
>>>>>     /"I wonder if it makes sense to keep this feature as is. It seems
>>>>> convoluted to me. Why ask a question to get a password hint? //
>>>>>     //It seems a lot to remember:/
>>>>>
>>>>>     //
>>>>>
>>>>>      1. /The choice of the security question/
>>>>>      2. /The answer to this security question/
>>>>>      3. /The relation between the password hint and the password itself/
>>>>>
>>>>>     //
>>>>>
>>>>>     /I see only a good thing in this feature: you don't have to change
>>>>> your password. But sincerely do we really need a such feature? I
>>>>> finally think
>>>>>     than rather fixing the current state we should remove the feature
>>>>> all together. IMO, the password link in an email done a safe way is
>>>>> enough. //
>>>>>     /
>>>>>
>>>>>     /The point to keep in mind is that OOTB all OFBiz users must have
>>>>> an email, apart anonymous which have no passwords anyway."/
>>>>>
>>>>> So, as suggested Nicolas, either we
>>>>>
>>>>>       * /"We continue to support this and I will increase coherence of
>>>>> that/
>>>>>       * /We abandon it and I will remove all code linked to this
>>>>> deprecated feature"/
>>>>>
>>>>> What do you think?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>> Hi All,
>>>>
>>>> Without answers I'll consider that we don't want to keep the password
>>>> hint stuff. It seems like a duplicate of the now safe emailed password
>>>> change to me.
>>>>
>>>> So I'll remove it in a week
>>>>
>>>> Thanks
>>>>
>>>> Jacques
>>>>
>>>>
>>
>