Challenge/response Considerations - Brian Early

Attendees:

  • Joyce Landreth
  • Cathy Winfrey
  • Ken McCrery
  • Susan Brooker-Gross
  • Kevin Rooney
  • Karen Herrington
  • Rhonda Randel
  • Brad Tilley
  • Kim Homer
  • Ismael Alaoui
  • Marc DeBonis
  • Mary Dunker

Agenda: Brian Early shares his experiences with challenge/response for CNS guest access to wireless network service.

Brian - It is a balancing act between system-generated Q vs. self-generated Q. Letting users specify questions is a bad idea. Normally they pick questions that are easy to guess. Can ask them to specify the question as well as the answer for mitigation, but in general, the average person uses easy questions. BOT attacks can feed in top 30 cities to respond to question asking where someone was born. Mother's maiden name is bad. Don't make self-generated the only way. Might specify one question of their own, and pick others from a list provided by the system. Brian found a goo list of sample questions. (see COLA: Create a guest account) For example, "What is your library card number?" "what is your Frequent Flyer number?"  Google on "secret questions" should produce results such as http://www.syngress.com/solutions/268_hack_Code/Using%20Secret%20Questions.htm . CNS did not encrypt answers so NOC could look at questions. Encryption/hash might be appropriate. Password reset screen doesn't give you your question. It pops up list of all questions and the person must choose the question again.

 CNS monitors attacks. COLA monitors failed login attempts based on IP address. Threshhold logs after 4 attempts. Sends e-mail after 10 failed attempts.

COLA requires 2 questions be answered.

Guest wireless has 2 password change mechanisms. Automated mechanism generates random PWD and sending in e-mail in addition to allowing questions to be answered.

Others might select photo. or Site key + phrase you make up.

Look at Treasury.direct and ing.com

Capitalization might be ignored. Exact match more secure. Could compress spaces. If period is at end, must match in COLA. Local liaisons can reset in Athletics.

for Hokies, OU admins can reset Marc will ask how they verify the person. (Marc - Will ask this at the WUG 8/7)

*Ask Carl for unauthenticated access pages for self-service PWD reset.

Q: If Brian had to do it over again, what would he change? Not enough feedback to change anything. 1-1/2 years. Might have changed that sponsor admins had to come to training.
Career services has guest accounts without questions. NOC has no way to verify info. Auto reset involves clicking link, sending to e-mail account, where person is sent a link to receive random password that they must later change.

Incentive to not change: When they call, the PWD is reset to temporary and in 48 hours, when they go to set it, they will need to create questions.

For Hokies, to force PWD change, they would have to make IRM & Help desk go through a web interface to reset PWD.  (Marc - Specifically, if we want to force people to build Q&A pairs we'll need to disable the default mechanisms to change/reset a password and build a web app to do this which forces the building.  If we still want to allow IRM & Help Desk to reset without having the user build them, then we don't have to change the SOP).

Joyce: using same questions for PID/PWD and Hokies PWD.  (Marc - I think we can use the same Q&A pairs IFF we determine that PID/PWD and Hokies ID/PWD are equivalent from a LOA standpoint.)

Might request VT ID# in addition to their challenge questions. 

Could you use PID to reset Hokies ID & vice versa? Currently you use PID to upgrade from contact to Account. Probably not. Can reset w/eToken cert.  (Marc - I'm on the fence of allowing PID -> reset - > Hokies, Hokies -> PID, etc)

IF PID cannot reset Hokies and vice versa, then the challenge questions should not be interchangeable.

Hokies should not be able to reset PID. Possibly, PID could reset Hokies. Could have separate question pairs for each.  (Marc - Can somebody elaborate on why they should not?  Because PID has access to more "important" information?  Because if we allow reset either way or bi-directional we suffer greater exposure if/when an account is compromised?)

If you rename a PID, you cannot keep same Hokies Id name.  (Marc - Specifically, if a PID is _recycled_ the UID will not match and we'll get a alert for manual intervention in our system since it would look like a rename attempt)

We should base our decisions on the deprovisioning we should be doing, not what we do. 

Decisions made:

  1. At minimum, to reset password, user should have to enter VT ID# along with answers to challenge questions.
  2. If a user authenticates with PDC on eToken and enters VT ID# that corresponds to that PDC, they will be allowed to reset PWD without answering challenge questions. This is because there is a higher LOA in the identity of the user of the PDC/eToken credential during authentication than in the PID or Hokies credential.

Questions prompted from meeting:

How many questions should be asked? Of those, how many should be self-generated and how many system-generated?

  1. After selecting x number of questions, should the entire list be presented at PWD reset time, so the user must know which questions they elected to answer?
  2.  Would/should NOC be able to see questions and/or answers in order to reset PID/Hokies PWD?
  3. Should knowledge of PID/PWD allow a person to reset Hokies PWD without answering questions? (Mary thinks the general consensus was, "no.")
  4. Should knowledge of Hokies ID/PWD allow a person to reset PID PWD without answering questions? (General consensus was, "no.")
  5. Should there be one set of challenge questions/resposes that allows reset of both/either Hokies or PID password? Marc pointed out that if we do not allow #3 or #4, then it does not make sense that we should have a single set of questions that serve both PID and Hokies. This makes sense, but having 2 sets of questions is more cumbersome than one set.
  6. Should questions/responses be encrypted when stored?
  7. Should questions be drawn from existing Banner information?
  8. Should we include an automated mechanism similar to CNS, where a random password is generated and sent to the user? (Mary thinks consensus on this was, "no."
  9. Do we need/can we get unauthenticated network access to a page that allows the user to reset the password? (Ask Carl Harris.) 
  • No labels

3 Comments

  1. Mary Dunker

    Aug 06, 2008

    The next comment box was ported -- hopefully accurately -- by Mary from an e-mail thread between Mary, Marc, Kevin and Brad.

  2. Mary Dunker

    Aug 06, 2008

    Marc DeBonis:

    >> Interesting points. What again was the downside to

    > allowing Hokies

    > >> to reset PIDs?

    > >>

    > >> - M

    > Brad Tilley wrote:

    > > I do not recall. Kevin would be the authority on that.

    >>

    > > Brad

    > From: Kevin Rooney [mailto:rooney@vt.edu]
    > Sent: Tuesday, August 05, 2008 1:50 PM

    > To: Tilley, Brad

    > Cc: DeBonis, Marc; Dunker, Mary

    > Subject: Re: Some Further Thoughts

    >

    > FYI, there are 160k+ active pids, and if you are not an employee, you

    > can hide from ED-Lite, but not ED-Auth.

    > Although that doesn't necessarily change anything you said.

    > I would agree with all of your points except to say that

    > deprovisioning of separated accounts like that becomes a manageability

    > issue as well as a security risk due to that fact, and thus shouldn't

    > be discounted.

    > The IRM Challenge/Response WebService (which is where

    > PIDGEN gets its questions) relies upon VT ID as the primary identifier

    > (along with affiliations) for the purpose of

    > generating challenge/response questions. However, it could

    > be easily

    > changed to allow for "secret questions" or any other data.

    > If a person is authenticated via this method, it shouldn't matter

    > which account they want to reset as their identity was originally

    > vetted and credentialed using the same data. If you rely

    > upon other credentials for authentication, that's fine as long as the

    > opaque identifiers are immutable as far as the credentialed person is

    > concerned (UID - nice to know HOKIES is using that identifier). Over

    > time, and in most cases, this can and does change. I'd rather rely

    > upon a universal auth method rather than relying upon separate systems

    > to keep in sync with each other.

    > Granted, we have a pretty good shot at that sync considering these

    > systems are centrally managed, but still there can easily be temporal

    > anomalies. This boils down to "why not go straight to the source"

    > which is Banner data, which again is where the identity was originally

    > vetted and used during initial credentialing.

    >

    > Looking forward to more discussion!

    From: DeBonis, Marc

    > Sent: Tuesday, August 05, 2008 2:11 PM

    > To: Rooney, Kevin; Tilley, Brad

    > Cc: Dunker, Mary

    > Subject: RE: Some Further Thoughts

    >

    > So considering we already have a challenge/response process in place

    > to allow users to generate PIDs, why not use that same system with the

    > self-service password reset process?

    From Mary:

    >

    > "why not go

    > straight to the source" which is Banner data, which again is where the

    > identity was originally vetted and used during initial credentialing.

    Kevin, can you please tell us what questions are asked of students and employees? I am not convinced the question/answers are particularly stringent. For example, I could answer a lot of personal questions about my high school buddy or college roommate. Some examples from PIDGen would be most useful.

    Thanks,

    Mary

    Kevin:

    I'm not suggesting using the current question sets for password reset. Those questions are derived based upon your affiliation set. The questions sets are typed and prioritized based upon an affiliation-based code prioritization list, but could easily include in that code list a secret question code which would indicate they have secret questions, and those should be used first if available. The question set is created along with the sql necessary to obtain the answers in the system, and any sql data source can be used for the queries. There would need to be a front end service needed that would allow the person to create their question sets.

    That said, the questions used to credential a new employee or new student currently are based upon the data we have from their employment application/hr data or their admissions application along with their VT ID which is also used as "what you know"

    piece of data. While this is all we have to go on, it does suffice for LOA 2. I wouldn't want to continue to use this data for password reset, but it'd be nice to have it early on in the process (ie during application for employment/admissions). Hence, we'd know that the person authenticating is the person who applied. 

  3. Mary Dunker

    Aug 08, 2008

    Additional question: Where should challenge questions & responses be stored? Mary has assumed the answer would be in the ED Registry, as the schema is already set up for them. Are there other reasonable options?

    If we have multiple sets of questions (one set for PID and another set for Hokies) would we store both sets in ED or just those for the PID password reset?