Anonymous_User Absent Member.
Absent Member.
941 views

Letting the user choose its challenge questions


Hi,

We are looking for the possibility to let the user choose its questions
out of a pool of questions for the challenge responses. As it is hard to
choose questions that can be unambiguous, stable, unkowned to others,
etc..., so letting the user choose 3 security questions out of a pool of
10 would be an interesting approach, but there's no way to do this using
iManager.

I've been told that with SSPR this is possible... AFAIK, since it's
based on PWM and linked to eDirectory, SSPR can only use the challenge
set that is associated with the password policy of the user, not
offering the choice of questions to the user.

Am I right?

Any possibility to let the user choose from a list of questions?

Serge


--
sergecouture
------------------------------------------------------------------------
sergecouture's Profile: https://forums.netiq.com/member.php?userid=5345
View this thread: https://forums.netiq.com/showthread.php?t=48067

0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Letting the user choose its challenge questions

> We are looking for the possibility to let the user choose its questions
> out of a pool of questions for the challenge responses. As it is hard to
> choose questions that can be unambiguous, stable, unkowned to others,
> etc..., so letting the user choose 3 security questions out of a pool of
> 10 would be an interesting approach, but there's no way to do this using
> iManager.


True; the NMAS implementation of Challenge/Response authentication
requires that a user answer all questions to possibly be used later. This
is tricky and requires really good questions that apply to all users, or
it requires users to make up answers that maybe are not relevant to them.

> I've been told that with SSPR this is possible... AFAIK, since it's
> based on PWM and linked to eDirectory, SSPR can only use the challenge
> set that is associated with the password policy of the user, not
> offering the choice of questions to the user.


No, SSPR (and PWM) are built to work with eDirectory, but they also work
with other directories and can store responses outside of any directory in
a PWM/SSPR internal database.

> Am I right?


Nope.

> Any possibility to let the user choose from a list of questions?


Yup.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Letting the user choose its challenge questions


ab;230872 Wrote:
>
>
> (...)SSPR (and PWM) are built to work with eDirectory, but they also
> work
> with other directories and can store responses outside of any directory
> in
> a PWM/SSPR internal database.
>
>


But if we want the user could click on the "Forgot your password?" link
on the Novell Client Login window, responses have to be stored in
eDirectory, and this would conform to the user's password policy...
right?

Serge


--
sergecouture
------------------------------------------------------------------------
sergecouture's Profile: https://forums.netiq.com/member.php?userid=5345
View this thread: https://forums.netiq.com/showthread.php?t=48067

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Letting the user choose its challenge questions

Yes... if you plan on using the Novell Client's Forgotten Password' link
without something else, you're stuck with the other implementation;
however, if you use the Client Login Extension and tell it to point to
SSPR for the challenge/response piece, then you are back to SSPR
functionality.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Letting the user choose its challenge questions


I didn't know about the Client Login Extension. I'll have a look on this
and what it can offer to help me...

Also... the SSPR documentation says that you can store the challenge
responses
in a database but this looks like an option only if you specify Active
Directory, not eDirectory (not even LDAP).

Can SSPR save the responses in eDirectory even if the challenge
responses weren't taken from eDir?

Serge


--
sergecouture
------------------------------------------------------------------------
sergecouture's Profile: https://forums.netiq.com/member.php?userid=5345
View this thread: https://forums.netiq.com/showthread.php?t=48067

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Letting the user choose its challenge questions


sergecouture;230871 Wrote:
> Hi,
>
> We are looking for the possibility to let the user choose its questions
> out of a pool of questions for the challenge responses. As it is hard to
> choose questions that can be unambiguous, stable, unkowned to others,
> etc..., so letting the user choose 3 security questions out of a pool of
> 10 would be an interesting approach, but there's no way to do this using
> iManager.
>
> I've been told that with SSPR this is possible... AFAIK, since it's
> based on PWM and linked to eDirectory, SSPR can only use the challenge
> set that is associated with the password policy of the user, not
> offering the choice of questions to the user.
>
> Am I right?
>
> Any possibility to let the user choose from a list of questions?
>
> Serge


To my knowledge, No, cannot be done currently with the software at hand.
Novell/NetIQ has been aware of this enhancement request for at LEAST 3
years. You can submit the same request, and hopefully it'll put some
traction on implementing this.

Now, Novell/NetIQ CAN do this. It's custom consulting engagement, and
from what I'm told, it's hideously expensive (you'll notice that
Novell's own login pages, have the security question pool you and I, and
many others, want). It's entirely possible that the requirement for a
paid engagement is the reason Novell/NetIQ hasn't put this feature into
the product(s) yet, but that's pure supposition on my part.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=48067

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Letting the user choose its challenge questions


Actually, allowing users to select which responses to use from a larger
list of questions has been a feature of SSPR since 2.0. It works when
storing the responses via ldap or NMAS. Thus, you can use eDirectory
challenge policies, allow users to select their own responses, and store
responses in NMAS for compatibility with Client32. I would still
recommend CLE approach however. Not all features of SSPR are available
when storing responses in NMAS, but this one is.

Additionally, SSPR can store responses in ldap, nmas, local (embedded)
database, a remote database such as Oracle or MS-SQL. The storage
options are not tied to the directory vendor (AD or eDir).

Hope this helps.


--
jrivard
------------------------------------------------------------------------
jrivard's Profile: https://forums.netiq.com/member.php?userid=541
View this thread: https://forums.netiq.com/showthread.php?t=48067

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Letting the user choose its challenge questions


jrivard;233390 Wrote:
> Actually, allowing users to select which responses to use from a larger
> list of questions has been a feature of SSPR since 2.0. It works when
> storing the responses via ldap or NMAS. Thus, you can use eDirectory
> challenge policies, allow users to select their own responses, and store
> responses in NMAS for compatibility with Client32. I would still
> recommend CLE approach however. Not all features of SSPR are available
> when storing responses in NMAS, but this one is.
>
> Additionally, SSPR can store responses in ldap, nmas, local (embedded)
> database, a remote database such as Oracle or MS-SQL. The storage
> options are not tied to the directory vendor (AD or eDir).
>
> Hope this helps.


Hi Jason-- Perhaps I misinterpreted what the OP was wanting, but when I
asked this at a certain Novell-sponsored event (SSPR 2.0 was out at the
time) the answer was "no".

What I *thought* the OP was referring to was like what most banks and
Novell's site does:

Question 1:
Choose one of the 10 questions (presented with a drop-down list)

Question 2:
Choose one of the 8 questions (completely different drop-down list)

Question 3:
Choose one of 5 questions (again, completely diff. drop-down list)


Are you saying that SSPR 2.0 can/does do that and that 3.0 can as well
and can integrate these with NMAS/UP? I ask because the iManager
plugins for UP don't have this option/UI, so how would the Novell Client
or anything integrate?

And what if the users already answered challenge/response as per the
existing UP setup where it's one question, and not a pool? Do you have
to clear all those and then somehow the UP policy will point to SSPR 3.0
?

Sorry for all the questions, I'm still reading the docs for 3.0.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=48067

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Letting the user choose its challenge questions


kjhurni;233795 Wrote:
> Hi Jason-- Perhaps I misinterpreted what the OP was wanting, but when I
> asked this at a certain Novell-sponsored event (SSPR 2.0 was out at the
> time) the answer was "no".
>
> What I *thought* the OP was referring to was like what most banks and
> Novell's site does:
>
> Question 1:
> Choose one of the 10 questions (presented with a drop-down list)
>
> Question 2:
> Choose one of the 8 questions (completely different drop-down list)
>
> Question 3:
> Choose one of 5 questions (again, completely diff. drop-down list)
>
>
> Are you saying that SSPR 2.0 can/does do that and that 3.0 can as well
> and can integrate these with NMAS/UP? I ask because the iManager
> plugins for UP don't have this option/UI, so how would the Novell Client
> or anything integrate?
>
> And what if the users already answered challenge/response as per the
> existing UP setup where it's one question, and not a pool? Do you have
> to clear all those and then somehow the UP policy will point to SSPR 3.0
> ?
>
> Sorry for all the questions, I'm still reading the docs for 3.0.


Well it appears that SSPR 3.0 still cannot do the multiple pool question
like Novell's own site can. Looks like it's really not much different
than the NMAS setup where you have ONE question list to choose from.

Too bad really.

Since I've already had my enhancement request in the list for years,
perhaps the OP can submit an RMS request as well and maybe NetIQ will
put it on the list to implement?

Unless I'm looking at the configuration screens wrong, but it looks like
I can only create one list of questions and you simply select how many
of those the user can pick.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=48067

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.