Re: Challenge/response questions?

[Mike Waller <mwaller.distro () GMAIL COM>]

Many solutions these days let you build up a bank of standardized questions
and then you ask the users to provide answers to five or so. This will
sometimes include questions like mother's maiden, but when the users are
asked to verify their identity, the tool will present them with a random
sampling of 3 of their questions. In that case, knowing the answer to a
couple of the questions doesn't necessarily get someone else into the
account.

On Fri, Apr 10, 2009 at 1:57 PM, Witmer, Robert <r.witmer () snhu edu> wrote:

>  There must be a better way!  We have a customized single sign on solution
> and are looking at self service password resets from a web page.  Everything
> after authentication has been worked out.  Currently we are thinking of
> using challenge/response type questions to verify account ownership.
> However, either most of the information is available on line (mother’s
> maiden name = genealogy sites) or includes personally identifying
> information (SSN last 4) that we don’t collect and don’t want to use.
>
>
>
> Anyone have a better idea?  If not, anyone have better challenge/response
> questions?
>
>
>
> Regards,
> Bob