Educause Security Discussion mailing list archives

Re: Challenge/response questions?

From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 14 Apr 2009 18:15:16 -0400

Bob Bayn wrote:

Gary Flynn commented on some of my remarks, concluding with:

We've just recently given our ServiceDesk staff the ability to
access a user's challenge responses so they can do confirmations
over the phone and accept approximate matches to the answers.

Isn't that kind of like giving them access to the account passwords?


What's the risk there compared to giving them the capability to reset a password when the user provides some other 
"proof" of ID?  Either can be misused and would be grounds for disciplinary action, dismissal and/or legal action.


True.

But there may be some additional risk incurred depending upon the
definition of "reset" and what happens after the challenge
questions are answered.

Worst case:

1) "Reset" means the password is set to a default value unique
   to the user and known only to that user.

2) Successfully completing the challenge results in the user
   being able to change their password. That is, the challenge
   process does not just "reset" the password to the default
   value.

In that scenario, the support person is able to use knowledge of
the challenge answers to complete the challenge process and
enter a password of their choosing taking full control of the
account. That is a new risk.

In other scenarios, there wouldn't be additional risk.

1) The "reset" process sets the password to a value known to
   the support person. No additional risk assumed by them
   knowing the challenge questions.
2) The challenge process only "resets" the password to a value
   known only to the end user. The ability to compromise the
   challenge process results only in setting the password to
   the default value that is not known by the support staff.

We recently had a discussion here about new ways to handle
forgotten passwords and I was asked how I'd feel about support
staff actually setting the user's password value upon request.
After proper authentication of course. :)

I squirmed a little and said if they required an immediate
response I'd have to reject the idea but wanted some time to
consider it. A lot depends upon the definition of "support
staff". How many people would have this ability and what
roles they played (e.g. full time staff, part time student
employees).

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: Challenge/response questions?, (continued)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 15)