Add to this, the fact that many people publicly publish a lot of the
personal information in easily accessible Blogs. Discovering the name
of someones pet cat becomes surprisingly easy.
On 11/10/05, Andrew van der Stock <vanderaj@greebo.net> wrote:
The quick answer is "none of the above". I regularly answer random
characters to them as I refuse to use them.
My litany of inexcusable design frights against these awful
interfaces are:
a) Privacy acts. You have to have a decent reason to collect and keep
private information. These q&a monstrosities do not qualify.
Businesses have NO reason to know my mother's maiden name. They have
NO reason to know my favorite pet's name. Therefore, legally, you may
not collect this information from me under most privacy regimes.
b) Public sources. Most of the typical questions can be derived from
public sources (date of birth, license numbers, credit checks, etc)
c) Laws and regulations surrounding certain types of information,
particularly government identifiers. You must not collect or use
certain pieces of information, such as SSN or similar government
identifiers.
d) "Guess an identity". Most people's favorite color is blue (about
90% from my survey so far). Similar guess-able answers can be used to
get past help desks with many clerks as they do not keep a track of
the total number of failed accesses through this back door password
scheme.
e) Information Security Policy adherence. These systems are a weak
backdoor password system. Five question Q&A are the equivalent of two
character passwords in terms of entropy (at best) and do not have any
password aging, generally do not have any brute force provisions
(although I don't like account lockout measures either), and thus
fail to meet even basic security least common denominator practice.
f) It's one factor security - "something you know". I'd have an
excellent chance at answering any of my family's Q&A's, and a fairly
good chance at any of my best friend's Q&A's. Imagine if this was for
a joint bank account where the two parties are feuding - you've just
given access to someone who has no right to the account.
Lastly, there are usually much better ways to go about these schemes
than questions and answers.
a) if it's to identify someone to a help desk, use a random number on
the screen:
++++++++++++
| Please call 1 800 LUSER, and quote "43743".
b) if it's to recover access to an account, even e-mail or SMS resets
are stronger than this - they are almost a "something you have,
something you know". If you value your accounts, nothing beats face
to face contact. Evidence of identity is essential for trust in the
account.
thanks,
Andrew
On 11/10/2005, at 12:47 AM, Derick Anderson wrote:
What good questions can be used for user verification? I've seen some
password recovery interfaces which have the typical mother's maiden
name, city of birth, etc. and others which let the user define
their own
question (a stupid idea in my opinion, but I'm willing to be
educated).
I'm thinking beyond a password recovery interface - I'm more concerned
with a general protocol that could be used in situations where email
isn't an option.
Thanks,
Derick Anderson
--
Yousef Syed
