[unisog] Supplying Account Names to Students

H. Morrow Long morrow.long at yale.edu
Fri Sep 27 00:52:18 GMT 2002


We've studied this problem a number of times in the past.  We
require a F2F encounter with ID to reset a password but we do
have Faculty and students on leave around the world.  Generally
the best method to authenticate these users needing a password
reset is to have them use a "chain of trust" model (e.g. as in
the famous Kevin Bacon commercial) linking to someone we trust
or to get themselves F2F to a trusted third party (an institution
or individual) in the country they are in.

Less good if having them fax some ID as credentials to us, the
"photo" part of the university ID card is invariable completely
black and the entire card image could have been completely
forged (you can often find GIF and JPEG images of ID cards on
the web suitable for modification).

One interesting approach (similar to the authentication for
password resets on many Internet websites, AKA the preset
Question/Answer Password Reset method) has recently been set
up at the University of Washington:

http://staff.washington.edu/rlmorgan/misc/secretquestions.html

This approach offers a great deal of convenience for remote users.
I'd like to see a comphrehensive analysis of the threats and
risks with this approach if anyone has evaluated or implemented
such a system.

- H. Morrow Long

Valdis.Kletnieks at vt.edu wrote:
> On Thu, 26 Sep 2002 14:49:56 EDT, Gary Flynn <flynngn at jmu.edu>  said:
> 
>>How can they find out? If they're not on campus?
> 
> 
> And equally important, what defenses do you use against social engineering
> attacks? (i.e. make them show up with a picture ID, refuse to do password
> changes over the phone, etc?) (And no, you don't need to share if you don't
> want to say - but you *should* think "what do we do to make sure that the
> person is who they say they are?" - and remember that things like their SSN
> are probably a *lot* easier to get than you think.  I'm willing to bet that
> walking through the gym locker room will find at least a few lockers that
> contain wallets without benefit of padlocks - you now have a name and a
> driver's license number (and in some states that's also the SSN by default).
> 
> A shocking number of organizations don't bother doing ANY verification...




More information about the unisog mailing list