Kyle T
Premium Member
Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
|
I'm looking at configuring a self service portal for our international users so they can change their AD password and/or unlock it when I'm in bed.
We've got a tool to do the job, and it's all setup and waiting to be polished and released to our users - but I'm stumbling on the security questions. The default ones seem way too easy with stuff like Facebook available to research the relevant information - so I'm looking for some best practises or good examples of questions.
My imagination sucks, so if anyone can suggest something I'd appreciate it. Google simply suggests "Don't bother with self service question/answer authentication" but without pushing out RSA tokens and stuff (a project which is further down the line) I can't see an alternative.
Lotus Elise 111R
Impreza WRX STi
|
Laney
Member
Registered: 6th May 03
Location: Leeds
User status: Offline
|
I'm no expert, but I'm going to guess at using non-current information is probably safest, based on the fact it's not normally available on places like Facebook.
First teacher, first car, first street name?
|
AndyKent
Member
Registered: 3rd Sep 05
User status: Offline
|
First direct makes you choose a memorable location which I've always thought to be a good idea.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
Best practice? Don't use secret questions and answers. The only way to do it is by sending out a single use token with a short expiry time which will allow the user to reset their password. Sending out a single use password is another way to do it - you can give it short expiry time too.
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
How could you do that without texting to their phone (expensive and relatively complicated to set up) or sending to a colleague, which is just as insecure.
Everyone will probably know everyone else's password anyway so a secret question is probably adequate security.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
Just read portal and missed the active directory bit. Assumed it was a web based system - oops.
|
Kyle T
Premium Member
Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
|
Hmmm I could configure it so that users are prompted to write their own questions and answers... but that won't really fix anything I guess when I start getting calls at 2am...
"I've forgotton what my favourite colour was 6 months ago" 
Lotus Elise 111R
Impreza WRX STi
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Offline
|
I always try and pick the obscure secret question, then forget it.
Problem is, the stronger it becomes, the higher the likelihood is that it'll be forgotten. Much like a good password.
What about relaxing the policies on account lockouts?
|
Kyle T
Premium Member
Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
|
quote:
Originally posted by Ian
What about relaxing the policies on account lockouts?
That was my first suggestion, but it got shot down - apparently our current policies are too relaxed as it is...
Lotus Elise 111R
Impreza WRX STi
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Offline
|
You got any HR data? Like national insurance number, bank account etc.
|
Kyle T
Premium Member
Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
|
quote:
Originally posted by Ian
You got any HR data? Like national insurance number, bank account etc.
I thought about employee number, it's something which goes on each payslip and it's referenced whenever you book a holiday or whatever - but many of the users are contractors, and they don't have such a number.
I've fired it back to my boss now tbh, let him decide whether we want some easy questions or if he wants them more complex - he can think of them by himself
Lotus Elise 111R
Impreza WRX STi
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
Anywhere we've put a stricter password policy in place it's caused me more work resetting the password every 3 months to something that circumvents the policy anyway.
|
Kyle T
Premium Member
Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
|
quote:
Originally posted by John
Anywhere we've put a stricter password policy in place it's caused me more work resetting the password every 3 months to something that circumvents the policy anyway.
Same, and I agree it's just a massive pain In the ass.
Lotus Elise 111R
Impreza WRX STi
|
Wrighty
Member
Registered: 28th Feb 04
Location: Howden
User status: Offline
|
6 digit pin codes? would intergrate with rsa tokens later down the line too
|
