Re: Authentication of remote users

[Joel Rosenblatt <joel () COLUMBIA EDU>]

If I told you, they wouldn't be secrets anymore :-)

Yes, we are still using SSN parts, but will be changing to something we are calling a UPN - a unique 9 digit number that 
looks just like a SSN but isn't.

I have no idea how we are going to get people to remember that number - but at least their identity will be safe :-)

If you have a place to get cheep DNA scanners, we might be interested.

Joking aside, this is a really hard problem to solve and I don't think that I've seen a really good answer for this yet.

Thanks,
Joel

--On Friday, January 04, 2008 2:29 PM -0500 Gary Flynn <flynngn () JMU EDU> wrote:

> Joel Rosenblatt wrote:
> > The point of the ID card is that you just do a RESET of the id if they
> > present the card (Over the phone, by knowing the card number, or by fax)
> > - the ID is not active at that point, but put back to the initial
> > state.  It then requires them to know the proper secrets to re-activate it.
>
> We also have the concept of a "reset" and its associated default
> password made up of a concatenation of secrets. However, one of
> those secrets is the last four digits of the SSN and we've been
> given direction to eliminate any use of the SSN - in full or in
> part. Birthdate has also been mentioned as taboo.
>
> Do you use those secrets to make up the default password when
> an account is "reset"?
>
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel