Re: Challenge/response questions?

[Gary Flynn <flynngn () JMU EDU>]

Bob Bayn wrote:

> Responses must be an exact match, and our users seem to have a lot of trouble with that, especially after 6 months or 
> so.

We have that problem too. In a new system we proposed, the answers
would be case insensitive and would have white space removed.

> Some "favorites" change over time so challenges that ask about a favorite are hard to answer after 6 months.

Agreed. Especially when you're 19. :)

However, this is a fallback mechanism to be used only when a password
is forgotten and there may be fallback mechanisms to the challenge
questions if their answers can't be remembered. Like a visit to the
helpdesk with a picture ID when the person is on-campus.

> We've just recently given our ServiceDesk staff the ability to access a user's challenge responses so they can do 
> confirmations over the phone and accept approximate matches to the answers.

Isn't that kind of like giving them access to the account passwords?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature