9/2/2013 6:40:59 AM
We have a client very interested in PRS.
What he'd like to see (and me too) is the following:
5 questions during enrolment, minimum of 3
Ask 2 random questions from the pool of answered questions available for that particular user.
Lets assume we have 5 questions in our policy, 12345
User-A has answered 4 questions during enrolment, 123 & 5
On Monday morning they reset their password and get asked Questions 2 and 3
On Friday afternoon (after a particularly heavy liquid lunch!) they reset again but this time get asked questions 1 and 5
In this scenario and current behaviour of PRS, User-A will only ever have to answer questions 1 and 2 - the remaining questions will never get asked unless there's a policy change.
I believe this might raise scenarios where Bob joins the firm and during enrolment his colleague says to him "oh don't worry about those other questions, it only ever asks for the first two" - this weakens the process and the organisations security policies.