Educause Security Discussion mailing list archives
Re: Authentication of remote users
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Fri, 4 Jan 2008 14:54:05 -0500
If I told you, they wouldn't be secrets anymore :-) Yes, we are still using SSN parts, but will be changing to something we are calling a UPN - a unique 9 digit number that looks just like a SSN but isn't. I have no idea how we are going to get people to remember that number - but at least their identity will be safe :-) If you have a place to get cheep DNA scanners, we might be interested. Joking aside, this is a really hard problem to solve and I don't think that I've seen a really good answer for this yet. Thanks, Joel --On Friday, January 04, 2008 2:29 PM -0500 Gary Flynn <flynngn () JMU EDU> wrote:
Joel Rosenblatt wrote:The point of the ID card is that you just do a RESET of the id if they present the card (Over the phone, by knowing the card number, or by fax) - the ID is not active at that point, but put back to the initial state. It then requires them to know the proper secrets to re-activate it.We also have the concept of a "reset" and its associated default password made up of a concatenation of secrets. However, one of those secrets is the last four digits of the SSN and we've been given direction to eliminate any use of the SSN - in full or in part. Birthdate has also been mentioned as taboo. Do you use those secrets to make up the default password when an account is "reset"? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: Authentication of remote users, (continued)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users charlie derr (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users Cal Frye (Jan 03)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Jim Dillon (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)