Re: User verification questions

[Andrew van der Stock <vanderaj () greebo net>]

The quick answer is "none of the above". I regularly answer random  
characters to them as I refuse to use them.

My litany of inexcusable design frights against these awful  
interfaces are:

a) Privacy acts. You have to have a decent reason to collect and keep  
private information. These q&a monstrosities do not qualify.  
Businesses have NO reason to know my mother's maiden name. They have  
NO reason to know my favorite pet's name. Therefore, legally, you may  
not collect this information from me under most privacy regimes.

b) Public sources. Most of the typical questions can be derived from  
public sources (date of birth, license numbers, credit checks, etc)

c) Laws and regulations surrounding certain types of information,  
particularly government identifiers. You must not collect or use  
certain pieces of information, such as SSN or similar government  
identifiers.

d) "Guess an identity". Most people's favorite color is blue (about  
90% from my survey so far). Similar guess-able answers can be used to  
get past help desks with many clerks as they do not keep a track of  
the total number of failed accesses through this back door password  
scheme.

e) Information Security Policy adherence. These systems are a weak  
backdoor password system. Five question Q&A are the equivalent of two  
character passwords in terms of entropy (at best) and do not have any  
password aging, generally do not have any brute force provisions  
(although I don't like account lockout measures either), and thus  
fail to meet even basic security least common denominator practice.

f) It's one factor security - "something you know". I'd have an  
excellent chance at answering any of my family's Q&A's, and a fairly  
good chance at any of my best friend's Q&A's. Imagine if this was for  
a joint bank account where the two parties are feuding - you've just  
given access to someone who has no right to the account.

Lastly, there are usually much better ways to go about these schemes  
than questions and answers.

a) if it's to identify someone to a help desk, use a random number on  
the screen:

++++++++++++
| Please call 1 800 LUSER, and quote "43743".

b) if it's to recover access to an account, even e-mail or SMS resets  
are stronger than this - they are almost a "something you have,  
something you know". If you value your accounts, nothing beats face  
to face contact. Evidence of identity is essential for trust in the  
account.

thanks,
Andrew

On 11/10/2005, at 12:47 AM, Derick Anderson wrote:

> What good questions can be used for user verification? I've seen some
> password recovery interfaces which have the typical mother's maiden
> name, city of birth, etc. and others which let the user define  
> their own
> question (a stupid idea in my opinion, but I'm willing to be  
> educated).
> I'm thinking beyond a password recovery interface - I'm more concerned
> with a general protocol that could be used in situations where email
> isn't an option.
>
> Thanks,
>
> Derick Anderson