Re: Authentication of remote users

[Joel Rosenblatt <joel () COLUMBIA EDU>]

I agree with you completely about this .. what I was (mentally) referring to was collecting a really good set of 
secrets that are not really lame (favorite
color, etc. )

We are happy with the ID card reset and the user know secrets to re-activate - but the best secret was the SSN, which 
we are going to have to stop using.

Collecting a new secret from everyone is going to be painful.

I also agree that making sure that the solution fits the size of the problem is important.

Joel


--On Friday, January 04, 2008 5:18 PM -0500 Valdis.Kletnieks () vt edu wrote:

> On Fri, 04 Jan 2008 14:54:05 EST, Joel Rosenblatt said:
>
> > Joking aside, this is a really hard problem to solve and I don't think that
> > I've seen a really good answer for this yet.
>
> One needs to keep in mind that perhaps "really good" isn't required here, just
> "good enough".  For instance, if the user is "remote" and can't come in person,
> it may very well be "good enough" to get a fax of the ID - although that may
> indeed not prove it's the person, it proves the person has possession of the
> ID.  And if the real user dropped his wallet somewhere in Rome, what are the
> chances that the person who picked it up will have any interest in hacking
> into your site?  Remember - we're not talking about a Visa card that has some
> rather general usages.
>
> Yes, it's *possible* that the pickpocket in Warsaw is an alumnus who is still
> upset about that failing grade he got 20 years ago and recognizes that
> obtaining an active account is the first step towards hacking in and fixing the
> grade he got, but at some point you really have to say "What are the
> *realistic* chances?"...



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel