assessing an authentication service

[Tom Barton <tbarton () UCHICAGO EDU>]

At the "CAMP Enterprise Authentication Workshop" last November in San
Diego we identified a need for an authoritative doc to help campuses
assess their authentication services. Two docs, in fact:

(1) a "how to" doc for assessing an authentication service to determine
what actions are likeliest to make the most substantial improvements in
overall strength of authentication. It could take the form of a top 10 list.

(2) a study (or metastudy) of the effect various password length,
complexity, history, and aging characteristics have on overall strength
of an authentication service.

Regarding (2), I think people (and CAMP attendees in particular) are
typically aware of the arguments pro and con associated with discussions
of password strength. We're looking instead for actual scientific,
perhaps sociological, studies. You know, where there's an experimental
design, thoughtfully implemented protocol, systematic data gathering and
analysis, and interpretation of results. Or a synthesis of these, if
such experiments have been done many times.

And there's a general understanding that passwords, or any proofs used
in a run-time authentication, are just one aspect of the overall
efficacy of an authentication system. Procedural, social, and additional
technical characteristics also determine strength of authentication.
Hence (1).

Do members of this group know of authoritative sources for (1) or (2)?

Thanks,
Tom
--
Tom Barton
Senior Director for Integration
Networking Services and Information Technologies
The University of Chicago
773-834-1700 (office)

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.