Educause Security Discussion mailing list archives
assessing an authentication service
From: Tom Barton <tbarton () UCHICAGO EDU>
Date: Wed, 29 Dec 2004 14:56:12 -0600
At the "CAMP Enterprise Authentication Workshop" last November in San Diego we identified a need for an authoritative doc to help campuses assess their authentication services. Two docs, in fact: (1) a "how to" doc for assessing an authentication service to determine what actions are likeliest to make the most substantial improvements in overall strength of authentication. It could take the form of a top 10 list. (2) a study (or metastudy) of the effect various password length, complexity, history, and aging characteristics have on overall strength of an authentication service. Regarding (2), I think people (and CAMP attendees in particular) are typically aware of the arguments pro and con associated with discussions of password strength. We're looking instead for actual scientific, perhaps sociological, studies. You know, where there's an experimental design, thoughtfully implemented protocol, systematic data gathering and analysis, and interpretation of results. Or a synthesis of these, if such experiments have been done many times. And there's a general understanding that passwords, or any proofs used in a run-time authentication, are just one aspect of the overall efficacy of an authentication system. Procedural, social, and additional technical characteristics also determine strength of authentication. Hence (1). Do members of this group know of authoritative sources for (1) or (2)? Thanks, Tom -- Tom Barton Senior Director for Integration Networking Services and Information Technologies The University of Chicago 773-834-1700 (office) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- assessing an authentication service Tom Barton (Dec 29)
- <Possible follow-ups>
- Re: assessing an authentication service David Lassner (Dec 29)
- Re: assessing an authentication service Jeff Giacobbe (Dec 30)
- Re: assessing an authentication service David L. Wasley (Dec 30)