Educause Security Discussion mailing list archives
Re: Authentication of remote users
From: Cal Frye <cjf () CALFRYE COM>
Date: Thu, 3 Jan 2008 17:00:30 -0500
Hunt,Keith A wrote:
-----Original Message----- From: Cal Frye [mailto:cjf () CALFRYE COM] Sent: Thursday, January 03, 2008 12:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Authentication of remote users Gary Flynn wrote:Lets say you have a user that: 1) forgot their password 2) forgot their answers to their secret question(s) 3) is traveling making visiting the helpdesk impossible Lets also say asking for last four digits of SSN is not allowed. How do you authenticate the identity of the user and allow them to change their password?Here we require they fax (or sometimes an email will do) a photocopy of their ID card, which does not itself contain SSN data, but our internal ID number instead. I have never quite understood the thinking behind this approach, though I have seen a number of folks propose it. What if someone steals my ID card, or I lose it and someone else finds it? How does the possession of such a credential prove anything about the identity of the person who holds it?
I might ask the same regarding the "secret questions" approach. Many folks can easily determine my mother's maiden name, or my favorite color, etc. But as the number of copies of a student's ID is a low finite number (in most cases) holding the card itself reduces the opportunity for fraud considerably. As for other solutions being discussed, our help desk is mainly manned by student workers, who probably ought not to have access to the kinds of personal data being discussed. Asking to "see" the photo ID permits them to launch the password reset process without having to call a staff member to the phone. I don't think it's more or less reasonable than the "secret question" approach our self-service system uses. As time goes by, more and more of our users have set up their secret questions, and the self-service approach has already measurably reduced the load on the help desk. -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com "No job is so simple that it can't be done wrong."
Current thread:
- Re: Authentication of remote users, (continued)
- Re: Authentication of remote users Hunt,Keith A (Jan 03)
- Re: Authentication of remote users Andrea Beesing (Jan 03)
- Re: Authentication of remote users Robert Paterson (Jan 03)
- Re: Authentication of remote users Scott Koger (Jan 03)
- Re: Authentication of remote users Tom Peterson (Jan 03)
- Re: Authentication of remote users Chris Vakhordjian (Jan 03)
- Re: Authentication of remote users Joel Rosenblatt (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users charlie derr (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users Cal Frye (Jan 03)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Jim Dillon (Jan 04)
(Thread continues...)