August 27, 2008, 11:00am

Continuation of requirements gathering

Attendees:

  • Mary Dunker
  • Susan Brooker-Gross
  • Daniel Fisher
  • Marc DeBonis
  • Brad Tilley
  • Kevin Rooney
  • Greg Kroll
  • Kim Homer
  • Rhonda Randel
  • Karen Herrington
  • Ken McCrery
  •  

What are entry points that are possible for creatingn pairs/generating secret question?

Assuming people are required to create pairs for self-service, what are possible entry points? When to force vs. offer opportunity?

  1. PIDGen offers an opportunity to force - makes sense to force here
  2. password change is an opportunity to force - makes sense to force change here if the call center has reset their password
  3. Voluntary PWD change upon authenticating with eToken -- would allow a person to set Q/A.
  4. password change (voluntarily) without Call Center? might be a bad idea. Could be a security hole. But might be a good opportunity tin the future.
  5. Stand-alone offers non-forced opportunity -- should allow this to be used if eToken is used for authentication.
  6. My VT offers oppportunity to force people to create Q/A - not until new My VT is up
  7. PID reprovisioning process offers opportunity to force
  8. Hokies self-service could offer opportunity to force  
  9. CAS authentication offers opportunity to force
  10. Entering leave could offer opportunity to force. Could CASsify leave report
  11. Hokie SPA?

Brad: If I am voluntarily changing my pwd and I have a secret question, I should be required to answer secret Q when I change my question.

Should CAS be modified to ask secret Q as well as PWD for authentication? 

Proposal:

Initially, require secret questions to be created during PIDGen and re-PIDGen and password change after Call Center reset. 

For voluntary PWD changes, allow people to create Q, but during initial implementation, do not force them to do it at that time. 

eToken nis just another option for authenticating to the application.

Next time: What information is in Banner that could be used for this? What other questions might be generated?


  • No labels

1 Comment

  1. Brad Tilley

    Aug 27, 2008

    Just to recap my thoughts... say I know another's PID/Passwd pair. I could then create a 'secret question' or 'challenge response' on their behalf. They would be unaware of this. In fact, they may never know that I did this unless they were to forget their PID-passwd and be asked the question I made-up for them... which they would not be able to answer. At that time, they would have to physically visit someone to sort this out. This could happen where managers delegate these types of things or between spouses who both work at Tech, relationship(s) gone bad, etc.

    This is a more sinister/devious attack than common phishes. One could change the PID-passwd and force the victim to make an appearance in person, or never change it and simply access that victim's info. That's not a big deal *today* as almost the same thing can be said about the current situation, however, should having a 'secret question' ever allow greater access or more liberal on-line access to personal info (at some time in the future), then this would be a cause for concern and creating the 'secret question' would need to be more a more rigorous process than simply successfully authing a PID-Passwd pair.

    Also, having a captcha on the site that allows creating a 'secret question' would be good. This would prevent (or at the very least limit) bots from authing with phished PID-Passwd pairs and creating secret questions. A person could still do what I described above, but at least now, we have a greater degress of certainty that it was indeed a person who did that.