I need to add 3 security questions to a user account entity. The questions must be strings. They cannot be enums. I have a question entity, as the users want to edit the questions. The user should be able to select 3 questions, but they cannot be the same question. I need those questions to copy over to the user’s account object (which means the account object should have 3 question attributes as strings to “save” the user’s selected question). I don’t know why dropdowns don’t support string list queries, as that is a common operation, and I find it hard to believe that the system is making this task so difficult. My first instinct is to create a non-persisted object associated with the account entity, then put the drop-downs on that. It would require converting all my buttons to MF so that I can copy the question strings back and forth, which also requires 3 queries to select the correct objects when the form is opened again. I don’t like the thought of all that for such a simple task, so I’m hoping there’s a better solution. Note: I also need to filter each question, so that when the user selects a question, the other dropdowns refresh. If Mendix can’t handle that, then the only other option is the make sure the same question isn’t selected on save (within the MF). Any other ideas?
You could work with persistable entities and create something like a security question configuration. Then you could have 3 associations from account to your security question. In the reference selector dropdown widget, you can add constraints, so that already associated objects can not be selected again.
Putting my CISO head on I would advise not to use these kind of security questions because they give a false sense of security unless these questions are very carefully selected. See for instance http://goodsecurityquestions.com/examples/
Whenever I come across these kinds of questions they mostly fall in the fair to poor cases.
I know this is fighting the problem but still want to mention it. I would always opt for a kind of two factor authentication method to do sensitive stuff.