Educause Security Discussion mailing list archives
Re: Challenge/response questions?
From: Mike Waller <mwaller.distro () GMAIL COM>
Date: Fri, 10 Apr 2009 14:23:02 -0400
Many solutions these days let you build up a bank of standardized questions and then you ask the users to provide answers to five or so. This will sometimes include questions like mother's maiden, but when the users are asked to verify their identity, the tool will present them with a random sampling of 3 of their questions. In that case, knowing the answer to a couple of the questions doesn't necessarily get someone else into the account. On Fri, Apr 10, 2009 at 1:57 PM, Witmer, Robert <r.witmer () snhu edu> wrote:
There must be a better way! We have a customized single sign on solution and are looking at self service password resets from a web page. Everything after authentication has been worked out. Currently we are thinking of using challenge/response type questions to verify account ownership. However, either most of the information is available on line (mother’s maiden name = genealogy sites) or includes personally identifying information (SSN last 4) that we don’t collect and don’t want to use. Anyone have a better idea? If not, anyone have better challenge/response questions? Regards, Bob
Current thread:
- Challenge/response questions? Witmer, Robert (Apr 10)
- <Possible follow-ups>
- Re: Challenge/response questions? Mike Waller (Apr 10)
- Re: Challenge/response questions? Bob Bayn (Apr 10)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
(Thread continues...)