Description
I was about to set up personal questions. I set up a list of 15 questions, all personal and easy to answer by the users themselves with a single word. I'm saving it on AD and changed the password successfully through question answering after answering the 4 questions of their choice.
As this mechanism will rarely be used, I wonder if there is a method to post them when a user ask for a password reset through questions, as I said, I have many questions and all of them are so personal each user can answer all of them, and trying combinations could take so long.
On the other hand, you know how users are, they usually type their password on a post-it, so expecting them to remember which questions they set, let's say eight months ago, can be a complete prowess.
I would like to have a config setting like $show_defined_questions or similar to ease that burden.
I know the security implications in having the questions shown on the reset password through questions, but perhaps are someone like me, who can be confident those questions are so personal that hardly could be guessed by an attacker, I could even force answering 8 or 10 questions.
I also see I could present fewer questions and force users to answer all of them, and that's what probably do as I need to launch the service ASAP, but I would like to see some flexibility.
Thanks!