Re: User verification questions

[Yousef Syed <yousef.syed () gmail com>]

Add to this, the fact that many people publicly publish a lot of the
personal information in easily accessible Blogs. Discovering the name
of someones pet cat becomes surprisingly easy.

On 11/10/05, Andrew van der Stock <vanderaj () greebo net> wrote:
> The quick answer is "none of the above". I regularly answer random
> characters to them as I refuse to use them.
>
> My litany of inexcusable design frights against these awful
> interfaces are:
>
> a) Privacy acts. You have to have a decent reason to collect and keep
> private information. These q&a monstrosities do not qualify.
> Businesses have NO reason to know my mother's maiden name. They have
> NO reason to know my favorite pet's name. Therefore, legally, you may
> not collect this information from me under most privacy regimes.
>
> b) Public sources. Most of the typical questions can be derived from
> public sources (date of birth, license numbers, credit checks, etc)
>
> c) Laws and regulations surrounding certain types of information,
> particularly government identifiers. You must not collect or use
> certain pieces of information, such as SSN or similar government
> identifiers.
>
> d) "Guess an identity". Most people's favorite color is blue (about
> 90% from my survey so far). Similar guess-able answers can be used to
> get past help desks with many clerks as they do not keep a track of
> the total number of failed accesses through this back door password
> scheme.
>
> e) Information Security Policy adherence. These systems are a weak
> backdoor password system. Five question Q&A are the equivalent of two
> character passwords in terms of entropy (at best) and do not have any
> password aging, generally do not have any brute force provisions
> (although I don't like account lockout measures either), and thus
> fail to meet even basic security least common denominator practice.
>
> f) It's one factor security - "something you know". I'd have an
> excellent chance at answering any of my family's Q&A's, and a fairly
> good chance at any of my best friend's Q&A's. Imagine if this was for
> a joint bank account where the two parties are feuding - you've just
> given access to someone who has no right to the account.
>
> Lastly, there are usually much better ways to go about these schemes
> than questions and answers.
>
> a) if it's to identify someone to a help desk, use a random number on
> the screen:
>
> ++++++++++++
> | Please call 1 800 LUSER, and quote "43743".
>
> b) if it's to recover access to an account, even e-mail or SMS resets
> are stronger than this - they are almost a "something you have,
> something you know". If you value your accounts, nothing beats face
> to face contact. Evidence of identity is essential for trust in the
> account.
>
> thanks,
> Andrew
>
> On 11/10/2005, at 12:47 AM, Derick Anderson wrote:
>
> > What good questions can be used for user verification? I've seen some
> > password recovery interfaces which have the typical mother's maiden
> > name, city of birth, etc. and others which let the user define
> > their own
> > question (a stupid idea in my opinion, but I'm willing to be
> > educated).
> > I'm thinking beyond a password recovery interface - I'm more concerned
> > with a general protocol that could be used in situations where email
> > isn't an option.
> >
> > Thanks,
> >
> > Derick Anderson


--
Yousef Syed