Educause Security Discussion mailing list archives

Re: Challenge/response questions?

From: Bob Bayn <bob.bayn () USU EDU>
Date: Tue, 14 Apr 2009 15:29:02 -0600

Gary Flynn commented on some of my remarks, concluding with:

We've just recently given our ServiceDesk staff the ability to 
access a user's challenge responses so they can do confirmations 
over the phone and accept approximate matches to the answers.

Isn't that kind of like giving them access to the account passwords?


What's the risk there compared to giving them the capability to reset a password when the user provides some other 
"proof" of ID?  Either can be misused and would be grounds for disciplinary action, dismissal and/or legal action.



Bob Bayn     (435)797-2396     Security Team coordinator
"IT will NEVER ask for your password via email, honest!"
Office of Information Technology at Utah State University

Current thread:

Re: Challenge/response questions?, (continued)
- Re: Challenge/response questions? Bob Bayn (Apr 10)
- Re: Challenge/response questions? Kevin Shalla (Apr 10)
- Re: Challenge/response questions? McCrary, Barbara (Apr 10)
- Re: Challenge/response questions? j.price (Apr 10)
- Re: Challenge/response questions? Dave Ferguson (Apr 13)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 13)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 15)