Challenge and Response Security Questions

Posted by
March 22, 2011

With tools like SSRPM (Self Service Reset Password Manager) it is possible to delegate requests for password resets for users themselves. If the user is blocked because of a wrong password, simply click the button “I forgot my password” available from the login screen and, after answering a few questions security, they may reset their own password.

The advantages are clear:

 

But what are the right questions of security? How to create a list of questions that are highly secure and difficult to guess, and at the same time be easy to remember?
The site goodsecurityquestions.com (in English) gives you some tips and ideas concerning the creation of these security issues.

Some important criteria for the definition of security issues:

  1. Difficult to guess or find the answer (via internet or other research: social engineering)
  2. The answer does not change with time
  3. Easy to remember
  4. The final answer must be simple and unambiguous in a simple format

Since the existence of Self Service Reset Password Manager, many companies use the tool to reduce calls to the service desk. Here are some steps that have been implemented for our customers:

The most relevant issues are often those related to the past of the end user, and not changing with time (and no: what is your favorite color?), No questions where the answer may be in different formats (times, dates …), no questions where the answer can be shared with colleagues (your dog’s name …) or responses that can be found on social networks (Facebook, etc.).

Some examples:

Click here for more information about resetting passwords in user self-service or on good practices to identify security issues.

 

Self Service IAM, , , ,

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.

Comments

No comments yet.

Leave a comment

(required)

(required)


CAPTCHA Image
*