Educause Security Discussion mailing list archives
Re: telephone authentication
From: Mike Waller <mwaller.distro () GMAIL COM>
Date: Fri, 25 Apr 2008 13:58:36 -0400
My impression of current best practices would be to use a set of security questions. You create a bank of questions and the students provide the answer (Mother's maiden could be one) to three when they call in. Caller ID and text messages aren't ideal because you're now bringing another system into play for the authentication to work. I was without my cell phone for a day last year when I accidentally left it in my pocket during a swim. Things happen and I don't think you'd want to be at the mercy of everyone's ability to remember ot bring their phone or keep it charged. The security questions aren't perfect, but with good questions, it can be pretty good. I could probably answer most questions for my wife and my lifelong friends, but it gets much harder after that. I'd stay away from questions that involve current "favorites" like songs or movies. Tastes change over time and it can be difficult to remember what your favorite movie was three years ago. Things like the name of your first elementary school, first car owned, name of first pet, first concert, favorite color, favorite historical figure, etc. are all "personal" but not particularly sensitive. Some people who know you well might know some, but they probably won't know them all, unless they're very, very close to you. Come up with 10 questions, force everyone to answer at least 5 and then use a random 3 anytime they call in. It's pretty useful. On Fri, Apr 25, 2008 at 1:16 PM, Kevin Shalla <kshalla () uic edu> wrote:
How do you guys do telephone authentication? It's certainly easiest if your student or employee ID number is sort of secret, and you just ask for that number, but what if you want to do real authentication that isn't easy for any employee with access to the student database to forge? We've had some thoughts, but none that is effective, complete, and convenient. We thought about comparing caller ID with the phone number stored in the student database, but that would cut out people who were not using a phone in our database. We also thought about sending a text message of a random string of numbers to the cell phone we have in our database for that person and having him read it back, but we don't have many cell phone numbers in our database. Banks ask for mother's maiden name, but we're not capturing that now, and I'm sure some people would refuse to give that to us, guessing that our employees could then go out and start accessing their bank accounts (I would probably also refuse!). What keeps evil bank employees from impersonating us to spend money in our names?
Current thread:
- telephone authentication Kevin Shalla (Apr 25)
- <Possible follow-ups>
- Re: telephone authentication Mike Waller (Apr 25)