Exposing security questions

[Rob Tanner <rtanner () LINFIELD EDU>]

We currently do self-service password management by requiring the user to
enter his/her SSN and mother¹s maiden name whenever they forget their
current password or allow it to expire.  Now, we want to re-implement
self-service password management using security questions.  Out of a group
of about twenty questions, the user will initially be required to select and
answer three which the user will be presented with and required to answer
when they don¹t know their password.  The user, whether student, faculty or
staff would of course have to enter their account ID (what we call their
CatNet ID which is a 7 or 8 character string made up of their first initial
and the first 6 or 7 characters of their last name).

On our first rewrite of the self-service web tool, we required the user to
also enter their student/staff ID number.  The idea is to at least add one
more layer before exposing the selected security questions.  Our problem is
that of our three campuses, the nursing school does not put student ID
numbers on their ID cards.  What, in addition to the account name do others
use?  Or do most figure that the account name is sufficient before exposing
the security questions?  My issue with that is that social engineering is
probably the bigger threat when trying to get access to people¹s passwords
and if I only have three questions to figure out your answer to, that¹s a
lot less work.  And if you happen to be the president, CFO, a trustee or any
of the executive administration, unathorized access to your email, for
instance, could be far more than just embarrassing.

Any thoughts or suggestions?



Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon