Challenge Questions

[Lynn Dorendorf <Lynn.Dorendorf () EMICH EDU>]

At Eastern Michigan University we have implemented an Identity
Management System that allows self serve password reset using Challenge
Questions. The problems is that our help desk staff is still getting a
large number of passwords resets.

To set up the challenge questions, we have three administrative
questions and two user supplied questions. In order to reset your
password you must answer one administrative questions and one user
question correctly. We have taken the approach that the administrative
questions must be something that the student's parents would not know so
they needed to be a little vague (Industry challenge question might be:
What is your birth date? Our questions What is a memorable date for you?)

Our questions are:

1) Do you use Challenge Questions? If so what are they and how many do
students need to answer correctly?
2) Were your challenge questions designed with the intent that the
student only (not parents) should know the answers?
3) How successful are you at having students use Challenge Questions to
reset their passwords?
4) If you do not use Challenge Questions, what other methods are you
using to reset passwords?

Lynn Dorendorf
Director IT Security
Eastern Michigan University
734.487.0101