Educause Security Discussion mailing list archives
Re: Challenge/response questions?
From: Bob Bayn <bob.bayn () USU EDU>
Date: Fri, 10 Apr 2009 12:23:27 -0600
We have had a challenge/response system for about a year now and have a couple problems that are bigger than anticipated. We have standard questions and allow the users to supply some questions of their own. We caution them to avoid questions that could be answered with online research (on facebook, etc) and we remind them that their answers do not have to be true or even make sense but they have to remember them (What's your mother's maiden name? Hitler What is your favorite car? Potato) Responses must be an exact match, and our users seem to have a lot of trouble with that, especially after 6 months or so. Some "favorites" change over time so challenges that ask about a favorite are hard to answer after 6 months. We've just recently given our ServiceDesk staff the ability to access a user's challenge responses so they can do confirmations over the phone and accept approximate matches to the answers. I can't find a reference right now, but I recently saw an confirmation approach that asks a bunch of T/F Y/N questions and when a challenge is needed, the user has to respond correctly to most of a significant subset of those questions ("do you like cake better than pie?") Bob Bayn (435)797-2396 Security Team coordinator "IT will NEVER ask for your password via email, honest!" Office of Information Technology at Utah State University ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Witmer, Robert [r.witmer () SNHU EDU] Sent: Friday, April 10, 2009 11:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Challenge/response questions? There must be a better way! We have a customized single sign on solution and are looking at self service password resets from a web page. Everything after authentication has been worked out. Currently we are thinking of using challenge/response type questions to verify account ownership. However, either most of the information is available on line (mother’s maiden name = genealogy sites) or includes personally identifying information (SSN last 4) that we don’t collect and don’t want to use. Anyone have a better idea? If not, anyone have better challenge/response questions? Regards, Bob
Current thread:
- Challenge/response questions? Witmer, Robert (Apr 10)
- <Possible follow-ups>
- Re: Challenge/response questions? Mike Waller (Apr 10)
- Re: Challenge/response questions? Bob Bayn (Apr 10)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
(Thread continues...)