Remove Secret Question functionality and fields

Greetings,

Is it possilbe to remove the secret question functionality, and fields from the access request form?

Thanks,

-Matt

Have more questions? Submit a request

2 Comments

  • 0
    Avatar
    Matthew McBride

    This can be done by removing the requirement for a password question and answer from the web.config file (requiresQuestionAndAnswer attribute of the membership provider) and adding a <div style="display:none></div> tag around the question and answer section found in the register.aspx page.

    However, it is strongly recommended that you use a password question and answer in an extranet scenario. Without this setting an extranet user can have their password reset without knowing a password question and answer. This basically implies that any user can reset any other users password. You could experience a denial of service attack against one or all of your extranet users.

  • 0
    Avatar
    Matthew McBride

    Even though I have selected “Generate a password without a hint and e-mail” from the Delegation Settings, the password reset wizard still asks for the the user for the Question/Answer.

    I have set my web.config to requiresQuestionAndAnswer="false". Ideally we just want to remove the Question/Answer functionality for now, but know that it’s hard to remove completely. One reason is because we are trying to import about 1000 users into the SQL database from another system and they do not have existing question/answers stored. Could you force the existing user to update their question/answer the first time they log in?

Please sign in to leave a comment.