Educause Security Discussion mailing list archives

Re: Authentication of remote users

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Fri, 4 Jan 2008 13:59:17 -0500

The point of the ID card is that you just do a RESET of the id if they present the card (Over the phone, by knowing the 
card number, or by fax) - the ID is not
active at that point, but put back to the initial state.  It then requires them to know the proper secrets to 
re-activate it.

We will not re-activate an ID without having the person standing in front of the help desk with their photo ID in hand 
- the best we will do if you have that
ID and can read us the number is a reset (same for fax).

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Friday, January 04, 2008 1:48 PM -0500 "Hunt,Keith A" <keith () UAKRON EDU> wrote:

-----Original Message-----
From: Cal Frye [mailto:cjf () CALFRYE COM]
Sent: Thursday, January 03, 2008 5:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Authentication of remote users

Hunt,Keith A wrote:
> -----Original Message-----
> From: Cal Frye [mailto:cjf () CALFRYE COM]
> Sent: Thursday, January 03, 2008 12:46 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Authentication of remote users
>
> Gary Flynn wrote:
>>
>> Lets say you have a user that:
>>
>> 1) forgot their password
>> 2) forgot their answers to their secret question(s)
>> 3) is traveling making visiting the helpdesk impossible
>>
>> Lets also say asking for last four digits of SSN is
>> not allowed.
>>
>> How do you authenticate the identity of the user and
>> allow them to change their password?
>>
>>
> Here we require they fax (or sometimes an email will do) a photocopy
of
> their ID card, which does not itself contain SSN data, but our
internal
> ID number instead.
>
> I have never quite understood the thinking behind this approach,
> though I have seen a number of folks propose it.
>
> What if someone steals my ID card, or I lose it and someone else
> finds it?
>
> How does the possession of such a credential prove anything about
> the identity of the person who holds it?

I might ask the same regarding the "secret questions" approach. Many
folks can easily determine my mother's maiden name, or my favorite
color, etc.


Sure, and I would say that these are therefore poor choices for secret
questions.

But as the number of copies of a student's ID is a low finite number
(in
most cases) holding the card itself reduces the opportunity for fraud
considerably.


Perhaps, but if I lose my card there are a large number of people who
might find it. And for the one who does the opportunity for fraud is
pretty high.


As for other solutions being discussed, our help desk is mainly manned
by student workers, who probably ought not to have access to the kinds
of personal data being discussed. Asking to "see" the photo ID permits
them to launch the password reset process without having to call a
staff
member to the phone. I don't think it's more or less reasonable than
the
"secret question" approach our self-service system uses.


I still don't quite understand this use of a photo ID (not picking only
on you, Cal, there have been a number of messages in this thread that
mention it). Seems to me the whole point of the "photo" part is so one
can compare the picture to the face of the person presenting it. Without
the face you might as well be looking at a copy of a membership card for
the Buck Rogers Space Rangers Club.


As time goes by, more and more of our users have set up their secret
questions, and the self-service approach has already measurably

reduced

the load on the help desk.

--
Regards,
-- Cal Frye, Network Administrator, Oberlin College

   www.calfrye.com,  www.pitalabs.com

"No job is so simple that it can't be done wrong."




--
Keith Hunt  330.972.7968  keith () uakron edu
Internet & Server Systems
The University of Akron




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

Current thread:

Re: Authentication of remote users, (continued)
- Re: Authentication of remote users Chris Vakhordjian (Jan 03)
- Re: Authentication of remote users Joel Rosenblatt (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users charlie derr (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users Cal Frye (Jan 03)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Jim Dillon (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)