Educause Security Discussion mailing list archives
Re: Challenge/response questions?
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 14 Apr 2009 17:15:53 -0400
Schumacher, Adam J wrote:
We use security questions plus having access to a secondary email account or cellphone capable of receiving text messages to reset passwords. We provide 15 possible questions to choose from, of which they must select three (and answer a random selection of 2).
Did you write the application or are you using a commercial application? We've been contemplating modifying out accounts portal for similar functionality to front-end our Oracle OIM based IdM system.
Best practices for questions would involve things that aren't likely to change over time (excludes "whats your favorite _____?" type questions), things that aren't too easy to guess or find out, and have high entropy (lots of possible answers). Some examples of decent questions might include:
Though the use of the out of band email/cellphone communications channel decreases risk, I don't like some of these questions...
What is your oldest sibling's birthday?
This results in storage of personal information for unaffiliated person.
What is the address of the first house you lived in?
OK
What hospital where you born at?
How hard would it be to find the city a person was born in? Having that, how hard would it be to find a list of hospitals in that city?
What was the color of your first car?
Bad question. Easily brute forced. Red, white, blue... I've seen a favorite color question compromised.
What was the make/model of your first car?
Could be brute forced. Or show up on myspace/facebook. A lot probably depends upon the account the person is attempting to regain control over. The more sensitive the data, functionality, or shared resource, the stronger the authentication needed. In some cases, these "forgot password" convenience features shouldn't even be used. I don't think its too much to ask of people whose account has been entrusted with access to bulk sensitive constituent data to use a more reliable means to authenticate their identity before providing access to their account. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Challenge/response questions?, (continued)
- Re: Challenge/response questions? Mike Waller (Apr 10)
- Re: Challenge/response questions? Bob Bayn (Apr 10)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 15)