ISC Security Question Answers are Visible

angelo_mekenkamp · August 7, 2023, 10:18am

Hi all,

When a user registers for the first time in IdentityNow, depending on the configuration, they may be asked to setup security questions for strong authentication. They must choose some questions and determine the answer. From a technical perspective, these answers are secrets. If others will know them, they can use it to perform strong authentication. Therefore, these answers should be secured in a similar way as passwords (hidden, encrypted etc.).

If I log in IdentityNow and then go to preferences, I trigger the strong authentication and see this:

Note that my answers are not visible. Only asterisks are shown. This has the same security level as when I write down the password.

During registration, when filling in the password and security question answers, we actually do see the values.

The password field (and confirmation password field) are only displaying asterisks. The reason behind this decision (I assume) is that when you share your screen while in a call, or if you have people close to you who might be able to see the screen, they will not be able to read your password from the screen. But why isn’t this applied to the security question answers as well on this location? Especially if they are hidden when I am actually using them while performing strong authentication. Now it is not consistently applied as secret.

To me this looks like a security issue.

ts_fpatterson · August 7, 2023, 11:25am

I would suggest this in ideas as well.

SailPoint Ideas Portal

angelo_mekenkamp · August 7, 2023, 11:43am

Hi Fred,

Thank you for your response!

I would consider the ideas portal for feature requests.
However, if certain functionality already exists and contains a security risk/flaw, I would categorize it as a bug rather than something to submit in the idea portal where people should vote on before it is taken into consideration.
Of course I still consider fixing security issues a good idea.

ts_fpatterson · August 7, 2023, 3:58pm

Do we have a specific link to go to regarding bugs? I have seen where partners consider Ideas as being an all in one. One reason I referenced the ideas portal is because they have a specific question on: “How big of a problem is it”, which could imply that it isn’t just for ideas.

derek_putnam · August 7, 2023, 4:00pm

@ts_fpatterson your first go to should always be filing the problem you’re facing with support.

You can also post here in the Bugs category if you want to garner more support from the community. It also helps our team to have visibiiity into what problems you’re facing so we can attempt to support you as well

angelo_mekenkamp · November 6, 2024, 9:45am

Just checked. Issue still exists.

Topic		Replies	Views	Activity
ISC IdentityNow UI: Adding a single '\' in the search causes an Error in the UI Bugs identity-security-cloud , identity-profiles , accounts , identities	1	29	October 31, 2024
Password visible in Link/Application Account IIQ Discussion and Questions identityiq	4	66	August 17, 2024

ISC Security Question Answers are Visible

Related topics