Educause Security Discussion mailing list archives

Re: Challenge/response questions?

From: Bob Bayn <bob.bayn () USU EDU>
Date: Fri, 10 Apr 2009 12:23:27 -0600

We have had a challenge/response system for about a year now and have a couple problems that are bigger than 
anticipated.  We have standard questions and allow the users to supply some questions of their own.  We caution them to 
avoid questions that could be answered with online research (on facebook, etc) and we remind them that their answers do 
not have to be true or even make sense but they have to remember them (What's your mother's maiden name? Hitler  What 
is your favorite car? Potato)

Responses must be an exact match, and our users seem to have a lot of trouble with that, especially after 6 months or 
so.
Some "favorites" change over time so challenges that ask about a favorite are hard to answer after 6 months.

We've just recently given our ServiceDesk staff the ability to access a user's challenge responses so they can do 
confirmations over the phone and accept approximate matches to the answers.

I can't find a reference right now, but I recently saw an confirmation approach that asks a bunch of T/F Y/N questions 
and when a challenge is needed, the user has to respond correctly to most of a significant subset of those questions 
("do you like cake better than pie?")


Bob Bayn     (435)797-2396     Security Team coordinator
"IT will NEVER ask for your password via email, honest!"
Office of Information Technology at Utah State University
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, Robert 
[r.witmer () SNHU EDU]
Sent: Friday, April 10, 2009 11:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Challenge/response questions?

There must be a better way!  We have a customized single sign on solution and are looking at self service password 
resets from a web page.  Everything after authentication has been worked out.  Currently we are thinking of using 
challenge/response type questions to verify account ownership.  However, either most of the information is available on 
line (mother’s maiden name = genealogy sites) or includes personally identifying information (SSN last 4) that we don’t 
collect and don’t want to use.

Anyone have a better idea?  If not, anyone have better challenge/response questions?

Regards,
Bob

Current thread:

Challenge/response questions? Witmer, Robert (Apr 10)
- <Possible follow-ups>
- Re: Challenge/response questions? Mike Waller (Apr 10)
- Re: Challenge/response questions? Bob Bayn (Apr 10)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)

(Thread continues...)