Educause Security Discussion mailing list archives
Re: Authentication of remote users
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Fri, 4 Jan 2008 20:39:47 -0500
I agree with you completely about this .. what I was (mentally) referring to was collecting a really good set of secrets that are not really lame (favorite color, etc. ) We are happy with the ID card reset and the user know secrets to re-activate - but the best secret was the SSN, which we are going to have to stop using. Collecting a new secret from everyone is going to be painful. I also agree that making sure that the solution fits the size of the problem is important. Joel --On Friday, January 04, 2008 5:18 PM -0500 Valdis.Kletnieks () vt edu wrote:
On Fri, 04 Jan 2008 14:54:05 EST, Joel Rosenblatt said:Joking aside, this is a really hard problem to solve and I don't think that I've seen a really good answer for this yet.One needs to keep in mind that perhaps "really good" isn't required here, just "good enough". For instance, if the user is "remote" and can't come in person, it may very well be "good enough" to get a fax of the ID - although that may indeed not prove it's the person, it proves the person has possession of the ID. And if the real user dropped his wallet somewhere in Rome, what are the chances that the person who picked it up will have any interest in hacking into your site? Remember - we're not talking about a Visa card that has some rather general usages. Yes, it's *possible* that the pickpocket in Warsaw is an alumnus who is still upset about that failing grade he got 20 years ago and recognizes that obtaining an active account is the first step towards hacking in and fixing the grade he got, but at some point you really have to say "What are the *realistic* chances?"...
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: Authentication of remote users, (continued)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Jim Dillon (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)