Educause Security Discussion mailing list archives
Re: Challenge/response questions?
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 14 Apr 2009 16:36:23 -0400
Witmer, Robert wrote:
There must be a better way! We have a customized single sign on solution and are looking at self service password resets from a web page. Everything after authentication has been worked out. Currently we are thinking of using challenge/response type questions to verify account ownership. However, either most of the information is available on line (mother’s maiden name = genealogy sites) or includes personally identifying information (SSN last 4) that we don’t collect and don’t want to use. Anyone have a better idea? If not, anyone have better challenge/response questions?
I don't think a question/answer system by itself is a viable authentication system for account access to anything but trivial accounts. Questions that are sufficient to prove identity with any assurance will result in a lot of false negatives and be a support nightmare. Questions that aren't sufficient result in unacceptable risk of unauthorized account access. It must be combined with something else. Many years ago that would be SSN. :) Today, an external email address or cell phone seems to be the most popular and logical choice. They both provide an out of band communications channel. As for questions: In our experience, you cannot depend upon users to choose good questions. We've seen questions like this: 1) What color is my favorite sweater? Problem: Insufficient domain of answers. Easily brute forced. 2) What was my high school's mascot? Problem: High school is easily found on Facebook, MySpace, and other sites. 3) What is my social security number? Problem: You're unknowingly storing sensitive data. 4) What is my uncle's birthday? Problem: You're storing personal information about a person unaffiliated with your university. You must supply at least some of your own questions. We had a list of questions for a proposed system to replace our current system but I can't put my hands on them now. I think we had 8 questions and the user could pick any 3. I think several were of the "what is your favorite" variety which violates the recommendation not to choose questions whose answers might change but there are really no really good solutions to this problem. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Challenge/response questions? Witmer, Robert (Apr 10)
- <Possible follow-ups>
- Re: Challenge/response questions? Mike Waller (Apr 10)
- Re: Challenge/response questions? Bob Bayn (Apr 10)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
(Thread continues...)