RFE: security questions/answers #513
Labels
Comments
|
It was pointed out on the list that this was very similar security wise to just giving someone "reset codes", ie a random small list of codes that could be used in place of otp to get into the account, so perhaps that would be better to implement. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note, this is a RFE and doesn't need to be done for initial deployment, etc...
In fas we had a security questions/answers feature. This allowed a user to enter anything in a security question field and anything in a security answer field. The answer was encrypted by a gpg key and both were stored.
Later in the event a user doesn't have access to their email account or otherwise needs an admin to do something for them to their account they can ask admins to use this feature. The admin then gets the 'security question' and asks the user. The user replies with the 'security answer' and the admin decrypts that and checks to make sure they match.
Note that the fields are blank, we don't force users to use a specific question or small list of questions, they can use anything they like that will let them know what the answer to it should be.
The text was updated successfully, but these errors were encountered: