Educause Security Discussion mailing list archives

Re: Authentication of remote users

From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Fri, 4 Jan 2008 16:58:10 -0700

One other idea (for alternate authentication under lost credential
situations) - we don't use this I just think in principle it addresses
the original inquiry, is to consider the two factor rule for
authentication.  Have them both fax the image of their ID card or
Driver's License, AND, answer a question that is typically protected
information but contained in your "person" information.  The question
can vary (someone else had a list of possible info) and you should be
able to expect the requester to share some of the risk involved, that is
to give up their absolute rights to privacy (by asking them to reveal
something private) in order to compensate for the error/failure on their
part.  This keeps the risk pretty low - it works for the banks and their
cash cards, it ought to be sufficient for standard access problems.

For extremely private/critical systems, you might want to up the
requirements even more, but for the typical access, I don't see offhand
how something like the above won't be sufficient.  Either part by itself
may not be, but the likelihood of a successful fraud given the two
factors is pretty slim.  It might be wise on your end to set up a
log/audit system for every such request where all or some are confirmed
by email/phone contact a week later as a customer service and assurance
that you have their identity protection in mind as a priority.

Best regards,

Jim

-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder----------------------

-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU] 
Sent: Friday, January 04, 2008 7:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Authentication of remote users

Thanks to everyone who responded. We were in a meeting yesterday
discussing future self-service account management requirements
associated with an on-going Identity Management project and there
was a desire to see if there was any consensus in higher education
on ideal balance points between risk acceptance, service delivery,
and support load regarding this issue.

I believe your comments have aided our discussions greatly.

-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Current thread:

Re: Authentication of remote users, (continued)
- Re: Authentication of remote users Cal Frye (Jan 03)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Jim Dillon (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)