View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001684 | Composr | core_cns | public | 2014-08-29 20:54 | 2021-02-06 23:46 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Severity | Feature-request | ||||
| Status | closed | Resolution | won't fix | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0001684: Security Questions for password resets | ||||
| Description | Support security question(s) in the lost_password module - you need to enter your security answers correctly before it will initiate a reset. Provide static list of questions user can answer, allow user to create their own. | ||||
| Tags | Type: Security | ||||
| Time estimation (hours) | 20 | ||||
| Sponsorship open | |||||
| related to | 0002304 | resolved | Chris Graham | Greater password reset flexibility |
|
|
I think it is better we just have 2FA to include the lost password form. If someone has enabled 2FA they have to successfully go through 2FA (be it SMS code, Google Authenticator,, or a recovery code), to do a password reset. If they can't do that, they can talk to an admin about regaining access. No need to have multiple tangential approaches to security. Best to center around one set of very well implemented concepts. |
|
|
Just to be clear, this would be a 2FA reset. So they'd have the SMS/Google Authenticator/Recovery code factor COMBINED with the email factor. Instead of the current single factor reset, which is just email. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-06-27 01:50 | Chris Graham | Relationship added | related to 0002304 |
| 2021-02-06 23:45 | Chris Graham | Assigned To | => Chris Graham |
| 2021-02-06 23:45 | Chris Graham | Status | non-assigned => closed |
| 2021-02-06 23:45 | Chris Graham | Resolution | open => won't fix |
| 2021-02-06 23:45 | Chris Graham | Note Added: 0006940 | |
| 2021-02-06 23:46 | Chris Graham | Note Added: 0006941 |
