Educause Security Discussion mailing list archives
Re: Authentication of remote users
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Fri, 4 Jan 2008 16:58:10 -0700
One other idea (for alternate authentication under lost credential situations) - we don't use this I just think in principle it addresses the original inquiry, is to consider the two factor rule for authentication. Have them both fax the image of their ID card or Driver's License, AND, answer a question that is typically protected information but contained in your "person" information. The question can vary (someone else had a list of possible info) and you should be able to expect the requester to share some of the risk involved, that is to give up their absolute rights to privacy (by asking them to reveal something private) in order to compensate for the error/failure on their part. This keeps the risk pretty low - it works for the banks and their cash cards, it ought to be sufficient for standard access problems. For extremely private/critical systems, you might want to up the requirements even more, but for the typical access, I don't see offhand how something like the above won't be sufficient. Either part by itself may not be, but the likelihood of a successful fraud given the two factors is pretty slim. It might be wise on your end to set up a log/audit system for every such request where all or some are confirmed by email/phone contact a week later as a customer service and assurance that you have their identity protection in mind as a priority. Best regards, Jim -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder---------------------- -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Friday, January 04, 2008 7:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Authentication of remote users Thanks to everyone who responded. We were in a meeting yesterday discussing future self-service account management requirements associated with an on-going Identity Management project and there was a desire to see if there was any consensus in higher education on ideal balance points between risk acceptance, service delivery, and support load regarding this issue. I believe your comments have aided our discussions greatly. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Re: Authentication of remote users, (continued)
- Re: Authentication of remote users Cal Frye (Jan 03)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Jim Dillon (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)