Educause Security Discussion mailing list archives

Re: Challenge/response questions?

From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 14 Apr 2009 16:36:23 -0400

Witmer, Robert wrote:

There must be a better way! We have a customized single sign onsolution and are looking at self service password resets from a webpage. Everything after authentication has been worked out. Currentlywe are thinking of using challenge/response type questions to verifyaccount ownership. However, either most of the information is availableon line (mother’s maiden name = genealogy sites) or includes personallyidentifying information (SSN last 4) that we don’t collect and don’twant to use.Anyone have a better idea? If not, anyone have betterchallenge/response questions?



I don't think a question/answer system by itself is a viable
authentication system for account access to anything but
trivial accounts.

Questions that are sufficient to prove identity with any
assurance will result in a lot of false negatives and be
a support nightmare. Questions that aren't sufficient
result in unacceptable risk of unauthorized account access.

It must be combined with something else. Many years ago that
would be SSN. :)

Today, an external email address or cell phone seems to be
the most popular and logical choice. They both provide an
out of band communications channel.


As for questions:

In our experience, you cannot depend upon users to choose good
questions. We've seen questions like this:

1) What color is my favorite sweater?
   Problem: Insufficient domain of answers. Easily brute forced.

2) What was my high school's mascot?
   Problem: High school is easily found on Facebook, MySpace, and
   other sites.

3) What is my social security number?
   Problem: You're unknowingly storing sensitive data.

4) What is my uncle's birthday?
   Problem: You're storing personal information about a person
   unaffiliated with your university.

You must supply at least some of your own questions.

We had a list of questions for a proposed system to replace our
current system but I can't put my hands on them now. I think
we had 8 questions and the user could pick any 3. I think several
were of the "what is your favorite" variety which violates the
recommendation not to choose questions whose answers might
change but there are really no really good solutions to this
problem.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Challenge/response questions? Witmer, Robert (Apr 10)
- <Possible follow-ups>
- Re: Challenge/response questions? Mike Waller (Apr 10)
- Re: Challenge/response questions? Bob Bayn (Apr 10)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)

(Thread continues...)