2. Stay connected to Allidm
Find us on Facebook:
http: //www. facebook.com/allidm
Follow us on Twitter:
http: //twitter.com/aidy_idm
Look for us on LinkedIn:
http: //www. linkedin.com/allidm
Visit our blog:
http://www.allidm.com/blog
3. Disclaimer and Acknowledgments
The contents here are created as a own personal endeavor and
thus does not reflect any official stance of any Identity and
Access Management Vendor on any particular technology
4. Contact Us
On this presentation we’ll talk about some useful topics that
you can use no matter which identity and access management
solution or product you are working on.
If you know one that make a big difference please tell us to
include it in the future
aidy.allidm@gmail.com
5. What’s A Challenge Question
challenge-response authentication is a family of
protocols in which one party presents a question
("challenge") and another party must provide a valid
answer ("response") to be authenticated.
The challenge questions are used for security
purposes to enable you to retrieve your password
and to allow Customer Service to confirm your
identity when you call. It is critical that you keep your
challenge questions up-to-date.
6. Benefits
Security questions reduce support costs by allowing
users to retrieve their password rather than
contacting support
Security questions are safer, than trying to verify
callers' identify over the phone.
Sign-in verification can increase security over the
routine user name/password option.
7. When is used?
Using Challenge Questions for Credential Recovery
Using Challenge Questions for Routine Authentication
Password retrieval/reset: if you forget your password,
the website will ask a question and if answered
correctly, you'll get or reset the password.
Sign-in verification: some websites occasionally
display a security question during sign-in as a second
level of verification.
8. Types of Questions and Answers
Question Types
The two types of questions that are likely to be most familiar are fixed questions and open questions.
A fixed question provides a list of preset questions to a user, where the user’s choice of question can be
taken only “as is” from this list.
open question, where a user has complete choice and control over the question; guidance as to the
question construction may be provided to the user, but the user enters the question in free-form text.
A controlled question lies between the extremes of a fixed question and an open question; it is a
question whose content is partially fixed, although modifiable by the user.
The fixed question might allow for additional text to be added, forming a modification of the original
question.
What is Name's middle name?
The fixed question might support a combination with an optional user-provided hint, where the hint
would be presented to the individual for authentication.
Answer Registration
What is a memorable date for you? Date
Hint: Hint
9. Answer Types
fixed answers, controlled answers, and open answers
fixed answer set involves user selection of an answer from a preset list of answers
At the other extreme, an open answer involves a user manually entering his response.
controlled answer, where the answer space is neither fixed nor open. Some ways in
which this might be achieved are:
Providing a fixed set of answers where the answer space is large enough so that most
potential answers are allowed.
The individual is able to enter an answer, but the format of the answer is controlled—
answers that do not conform are rejected. For example, an individual might be
askedto provide a memorable numeric value so that alphabetic and punctuation
characterswould not be permitted for inclusion in the answer text.
10. Best Practices for Choosing
Challenge Questions
simple rules when choosing challenge questions for your users to
choose.
Choose questions that don't have a limited number of answers
Choose questions whose answers aren't likely to change over time
Choose questions that everyone can answer
Choose questions that can only be answered one way
Good security questions have four common characteristics. The
answer to a good security question:
cannot be easily guessed or researched (safe),
doesn't change over time (stable),
is memorable,
is definitive or simple.
11. Designing a Challenge Question
Authentication System
Determining the Number of Questions to Use
Determining the Types of Questions and Answers to
Use
Determining the appropriate question type
Determining the appropriate answer type
12. Examples
What are the last four digits of your social security
number?
What are the first five characters of your driver’s license
number?
What is your frequent flyer number?
What are the first five digits of your spouse’s social security
number?
What is your six character alphanumeric PIN value that you
choose to use for this question?
What is your cell phone's SIM card ID number? (careful,
this could change often for some users)
13. Issues
Security questions create a potential hole or breach in security by providing ways for
unauthorized users to gain access if the answer can be discovered.
Poor questions create security breaches and confusion and cost money in support
calls
Good security questions can be useful in the current environment, but are not
common.
A challenge question system may require an additional step to obtain the challenge
questions.
A challenge question system may choose not to obscure (password character is replaced
with a “*” when displayed on the screen) display of the answers.
A challenge question system may use more than one question-answer pair.
A challenge question system may make use of an “out-of-band” authentication step.
14. http://www.goodsecurityquestions.c
om/examples.htm
Good
What was your childhood nickname?
In what city did you meet your spouse/significant other?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What is your oldest cousin's first and last name?
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
Where were you when you had your first kiss?
What is the first name of the boy or girl that you first kissed?
What was the last name of your third grade teacher?
In what city does your nearest sibling live?
What is your oldest brother’s birthday month and year? (e.g., January 1900)
What is your maternal grandmother's maiden name?
In what city or town was your first job?
What is the name of the place your wedding reception was held?
What is the name of a college you applied to but didn't attend?
Where were you when you first heard about 9/11?
15. http://www.goodsecurityquestions.c
om/examples.htm
Fair
What was the name of your elementary / primary school?
What is the name of the company of your first job?
What was your favorite place to visit as a child?
What is your spouse's mother's maiden name?
What is the country of your ultimate dream vacation?
What is the name of your favorite childhood teacher?
To what city did you go on your honeymoon?
What time of the day were you born?
What was your dream job as a child?
What is the street number of the house you grew up in?
What is the license plate (registration) of your dad's first car?
Who was your childhood hero?
What was the first concert you attended?
What are the last 5 digits of your credit card?
What are the last 5 of your Social Security number?
What is your current car registration number?
What are the last 5 digits of your driver's license number?
What month and day is your anniversary? (e.g., January 2)
What is your grandmother's first name?
What is your mother's middle name?
What is the last name of your favorite high school teacher?
What was the make and model of your first car?
Where did you vacation last year?
What is the name of your grandmother's dog?
What is the name, breed, and color of current pet?
What is your preferred musical genre?
In what city and country do you want to retire?
What is the name of the first undergraduate college you attended?
What was your high school mascot?
What year did you graduate from High School?
What is the name of the first school you attended?
16. http://www.goodsecurityquestions.c
om/examples.htm
Poor
What was your favorite sport in high school?
What is the name of the High School you graduated from?
What is your pet's name?
In what year was your father born?
In what year was your mother born?
What is your mother’s (father's) first name?
What is your mother's maiden name?
What was the color of your first car?
What is your father's middle name?
In what county where you born?
How many bones have you broken?
What is the first and last name of your favorite college professor?
On which wrist do you wear your watch?
What is the color of your eyes?
What is the title and artist of your favorite song?
What is the title and author of your favorite book?
What is the name, breed, and color of your favorite pet?
What is your favorite animal?
What was the last name of your favorite teacher?
What is your favorite team?
What is your favorite movie?
What is your favorite teacher's nickname?
What is your favorite TV program?
What is your least favorite nickname?
What is your favorite sport?
What is the name of your hometown?
What is the color of your father’s eyes?
What is the color of your mother’s eyes?
What was the name of your first pet?
What sports team do you love to see lose?
In what city were you born?
What is the city, state/province, and year of your birth?
What is the name of your hometown newspaper?
What is your favorite color?
What was your hair color as a child?
What is your work address?
What is the street name your work or office is located on?
What is your address, phone number?
17. Challenge Question System
Privacy Criteria
Designers should give particular caution to using questions
that ask for personal information
Security Criteria
related directly to the confidentiality of the challenge
question answers.
Guessing difficulty
Answers should be difficult to guess and have an answer
space with a fairly uniform distribution.
Observation difficulty
The answers to challenge questions should be difficult for an
attacker to retrieve or observe easily.
18. Usability Criteria
The usability of a challenge question system is concerned with providing a
user-friendly experience at the stages of both answer registration and
subsequent answer presentation.
Applicability
The applicability criterion attempts to characterize the size of the target population
for which a question might be applicable.
Memorability
An answer is memorable as long as the user is able to recall the answer. This
generally implies that the answer would be personally significant. Information that is
used frequently will be more memorable, indicating that answers reflecting the
habits, activities, or practices of users provide suitable answers.
Repeatability
There are at least two aspects of answer repeatability to consider. First, answers
should have few syntactic representations. For