Educause Security Discussion mailing list archives
Re: Challenge/response questions?
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 14 Apr 2009 18:15:16 -0400
Bob Bayn wrote:
Gary Flynn commented on some of my remarks, concluding with:We've just recently given our ServiceDesk staff the ability to access a user's challenge responses so they can do confirmations over the phone and accept approximate matches to the answers.Isn't that kind of like giving them access to the account passwords?What's the risk there compared to giving them the capability to reset a password when the user provides some other "proof" of ID? Either can be misused and would be grounds for disciplinary action, dismissal and/or legal action.
True. But there may be some additional risk incurred depending upon the definition of "reset" and what happens after the challenge questions are answered. Worst case: 1) "Reset" means the password is set to a default value unique to the user and known only to that user. 2) Successfully completing the challenge results in the user being able to change their password. That is, the challenge process does not just "reset" the password to the default value. In that scenario, the support person is able to use knowledge of the challenge answers to complete the challenge process and enter a password of their choosing taking full control of the account. That is a new risk. In other scenarios, there wouldn't be additional risk. 1) The "reset" process sets the password to a value known to the support person. No additional risk assumed by them knowing the challenge questions. 2) The challenge process only "resets" the password to a value known only to the end user. The ability to compromise the challenge process results only in setting the password to the default value that is not known by the support staff. We recently had a discussion here about new ways to handle forgotten passwords and I was asked how I'd feel about support staff actually setting the user's password value upon request. After proper authentication of course. :) I squirmed a little and said if they required an immediate response I'd have to reject the idea but wanted some time to consider it. A lot depends upon the definition of "support staff". How many people would have this ability and what roles they played (e.g. full time staff, part time student employees). -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Challenge/response questions?, (continued)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 15)