Educause Security Discussion mailing list archives

Re: Challenge/response questions?

From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 14 Apr 2009 17:15:53 -0400

Schumacher, Adam J wrote:

We use security questions plus having access to a secondary email account or
cellphone capable of receiving text messages to reset passwords.  We provide
15 possible questions to choose from, of which they must select three (and
answer a random selection of 2).


Did you write the application or are you using a commercial
application? We've been contemplating modifying out accounts
portal for similar functionality to front-end our Oracle OIM
based IdM system.

Best practices for questions would involve things that aren't likely to
change over time (excludes "whats your favorite _____?" type questions),
things that aren't too easy to guess or find out, and have high entropy
(lots of possible answers).
Some examples of decent questions might include:


Though the use of the out of band email/cellphone communications
channel decreases risk, I don't like some of these questions...

What is your oldest sibling's birthday?

This results in storage of personal information for
unaffiliated person.

What is the address of the first house you lived in?

OK

What hospital where you born at?

How hard would it be to find the city a person was born in?
Having that, how hard would it be to find a list of hospitals
in that city?

What was the color of your first car?

Bad question. Easily brute forced. Red, white, blue...
I've seen a favorite color question compromised.

What was the make/model of your first car?

Could be brute forced. Or show up on myspace/facebook.

A lot probably depends upon the account the person is
attempting to regain control over. The more sensitive
the data, functionality, or shared resource, the stronger
the authentication needed.

In some cases, these "forgot password" convenience features
shouldn't even be used. I don't think its too much to ask
of people whose account has been entrusted with access to
bulk sensitive constituent data to use a more reliable means
to authenticate their identity before providing access to
their account.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: Challenge/response questions?, (continued)
- Re: Challenge/response questions? Mike Waller (Apr 10)
- Re: Challenge/response questions? Bob Bayn (Apr 10)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 15)