[unisog] challenge-response applications

Peter Van Epp vanepp at sfu.ca
Fri Apr 1 16:10:08 GMT 2005


	Assuming that you mean challange questions/answers to verify a user
identity in the case of a forgotten password (as opposed to 2 factor key fob
authentication) by challange-response, ours is optional. When the user 
activates their account via the web they have the option (off by default) to
enter challange/response questions/answers which then may be used to indentify 
them if they can't appear in person with picture ID (which is our normal method 
of resetting passwords). This enables students on coop terms out of town or 
any account user that is travelling and forgets a password an option (not an
easy option, because only the Director is allowed to reset passwords via this
mechanism) other than appearing in person with ID. I don't know what our uptake
rate is (not all that very high I don't expect) but we don't intend it for 
general, use only as a last resort in exceptional circuimstances. 
	Why do you want to make it more general? To reduce staff costs of 
dealing with forgotten passwords? Being able to automate the entire process 
(which I think would be dangerous :-))? Something that I haven't thought of 
(but should have :-))?

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Fri, Apr 01, 2005 at 10:26:10AM -0500, Rachel Franke wrote:
> I'm seeking input from schools that have challenge-response 
> applications in place to verify user identity - I'd like to know if you 
> require participation from your user groups (and if so, how do you 
> enforce that requirement?), and also, what level of participation do 
> you currently have in your challenge-response system?
> 
> Ours has been in place for over a year now, but I'm working on 
> increasing the level of participation and am just wondering what other 
> schools are doing.
> 
> Feel free to respond off-list, and if folks are interested, I can 
> summarize responses back to the group.
> 
> thanks,
> Rachel Franke
> ____________________________________________
> Rachel Franke
> University IT Security Office
> Duke University
> <http://www.security.duke.edu>
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list