IAM Challenge Questions


Published on

The Identity management solutions required specific skill to successfully deploy it. This presentation will help you to star build some of them.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IAM Challenge Questions

  1. 1. Allidm.com Discovering Identity and Access Management Solutions Challenges Questions Introduction http://academy.allidm.com
  2. 2. Stay connected to Allidm Find us on Facebook: http: //www. facebook.com/allidm Follow us on Twitter: http: //twitter.com/aidy_idm Look for us on LinkedIn: http: //www. linkedin.com/allidm Visit our blog: http://www.allidm.com/blog
  3. 3. Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect any official stance of any Identity and Access Management Vendor on any particular technology
  4. 4. Contact Us On this presentation we’ll talk about some useful topics that you can use no matter which identity and access management solution or product you are working on. If you know one that make a big difference please tell us to include it in the future aidy.allidm@gmail.com
  5. 5. What’s A Challenge Question challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. The challenge questions are used for security purposes to enable you to retrieve your password and to allow Customer Service to confirm your identity when you call. It is critical that you keep your challenge questions up-to-date.
  6. 6. Benefits Security questions reduce support costs by allowing users to retrieve their password rather than contacting support Security questions are safer, than trying to verify callers' identify over the phone. Sign-in verification can increase security over the routine user name/password option.
  7. 7. When is used? Using Challenge Questions for Credential Recovery Using Challenge Questions for Routine Authentication Password retrieval/reset: if you forget your password, the website will ask a question and if answered correctly, you'll get or reset the password. Sign-in verification: some websites occasionally display a security question during sign-in as a second level of verification.
  8. 8. Types of Questions and Answers Question Types The two types of questions that are likely to be most familiar are fixed questions and open questions. A fixed question provides a list of preset questions to a user, where the user’s choice of question can be taken only “as is” from this list. open question, where a user has complete choice and control over the question; guidance as to the question construction may be provided to the user, but the user enters the question in free-form text. A controlled question lies between the extremes of a fixed question and an open question; it is a question whose content is partially fixed, although modifiable by the user. The fixed question might allow for additional text to be added, forming a modification of the original question. What is Name's middle name? The fixed question might support a combination with an optional user-provided hint, where the hint would be presented to the individual for authentication. Answer Registration What is a memorable date for you? Date Hint: Hint
  9. 9. Answer Types fixed answers, controlled answers, and open answers fixed answer set involves user selection of an answer from a preset list of answers At the other extreme, an open answer involves a user manually entering his response. controlled answer, where the answer space is neither fixed nor open. Some ways in which this might be achieved are: Providing a fixed set of answers where the answer space is large enough so that most potential answers are allowed. The individual is able to enter an answer, but the format of the answer is controlled— answers that do not conform are rejected. For example, an individual might be askedto provide a memorable numeric value so that alphabetic and punctuation characterswould not be permitted for inclusion in the answer text.
  10. 10. Best Practices for Choosing Challenge Questions simple rules when choosing challenge questions for your users to choose. Choose questions that don't have a limited number of answers Choose questions whose answers aren't likely to change over time Choose questions that everyone can answer Choose questions that can only be answered one way Good security questions have four common characteristics. The answer to a good security question: cannot be easily guessed or researched (safe), doesn't change over time (stable), is memorable, is definitive or simple.
  11. 11. Designing a Challenge Question Authentication System Determining the Number of Questions to Use Determining the Types of Questions and Answers to Use Determining the appropriate question type Determining the appropriate answer type
  12. 12. Examples What are the last four digits of your social security number? What are the first five characters of your driver’s license number? What is your frequent flyer number? What are the first five digits of your spouse’s social security number? What is your six character alphanumeric PIN value that you choose to use for this question? What is your cell phone's SIM card ID number? (careful, this could change often for some users)
  13. 13. Issues Security questions create a potential hole or breach in security by providing ways for unauthorized users to gain access if the answer can be discovered. Poor questions create security breaches and confusion and cost money in support calls Good security questions can be useful in the current environment, but are not common. A challenge question system may require an additional step to obtain the challenge questions. A challenge question system may choose not to obscure (password character is replaced with a “*” when displayed on the screen) display of the answers. A challenge question system may use more than one question-answer pair. A challenge question system may make use of an “out-of-band” authentication step.
  14. 14. http://www.goodsecurityquestions.c om/examples.htm Good What was your childhood nickname? In what city did you meet your spouse/significant other? What is the name of your favorite childhood friend? What street did you live on in third grade? What is your oldest sibling’s birthday month and year? (e.g., January 1900) What is the middle name of your oldest child? What is your oldest sibling's middle name? What school did you attend for sixth grade? What was your childhood phone number including area code? (e.g., 000-000-0000) What is your oldest cousin's first and last name? What was the name of your first stuffed animal? In what city or town did your mother and father meet? Where were you when you had your first kiss? What is the first name of the boy or girl that you first kissed? What was the last name of your third grade teacher? In what city does your nearest sibling live? What is your oldest brother’s birthday month and year? (e.g., January 1900) What is your maternal grandmother's maiden name? In what city or town was your first job? What is the name of the place your wedding reception was held? What is the name of a college you applied to but didn't attend? Where were you when you first heard about 9/11?
  15. 15. http://www.goodsecurityquestions.c om/examples.htm Fair What was the name of your elementary / primary school? What is the name of the company of your first job? What was your favorite place to visit as a child? What is your spouse's mother's maiden name? What is the country of your ultimate dream vacation? What is the name of your favorite childhood teacher? To what city did you go on your honeymoon? What time of the day were you born? What was your dream job as a child? What is the street number of the house you grew up in? What is the license plate (registration) of your dad's first car? Who was your childhood hero? What was the first concert you attended? What are the last 5 digits of your credit card? What are the last 5 of your Social Security number? What is your current car registration number? What are the last 5 digits of your driver's license number? What month and day is your anniversary? (e.g., January 2) What is your grandmother's first name? What is your mother's middle name? What is the last name of your favorite high school teacher? What was the make and model of your first car? Where did you vacation last year? What is the name of your grandmother's dog? What is the name, breed, and color of current pet? What is your preferred musical genre? In what city and country do you want to retire? What is the name of the first undergraduate college you attended? What was your high school mascot? What year did you graduate from High School? What is the name of the first school you attended?
  16. 16. http://www.goodsecurityquestions.c om/examples.htm Poor What was your favorite sport in high school? What is the name of the High School you graduated from? What is your pet's name? In what year was your father born? In what year was your mother born? What is your mother’s (father's) first name? What is your mother's maiden name? What was the color of your first car? What is your father's middle name? In what county where you born? How many bones have you broken? What is the first and last name of your favorite college professor? On which wrist do you wear your watch? What is the color of your eyes? What is the title and artist of your favorite song? What is the title and author of your favorite book? What is the name, breed, and color of your favorite pet? What is your favorite animal? What was the last name of your favorite teacher? What is your favorite team? What is your favorite movie? What is your favorite teacher's nickname? What is your favorite TV program? What is your least favorite nickname? What is your favorite sport? What is the name of your hometown? What is the color of your father’s eyes? What is the color of your mother’s eyes? What was the name of your first pet? What sports team do you love to see lose? In what city were you born? What is the city, state/province, and year of your birth? What is the name of your hometown newspaper? What is your favorite color? What was your hair color as a child? What is your work address? What is the street name your work or office is located on? What is your address, phone number?
  17. 17. Challenge Question System Privacy Criteria Designers should give particular caution to using questions that ask for personal information Security Criteria related directly to the confidentiality of the challenge question answers. Guessing difficulty Answers should be difficult to guess and have an answer space with a fairly uniform distribution. Observation difficulty The answers to challenge questions should be difficult for an attacker to retrieve or observe easily.
  18. 18. Usability Criteria The usability of a challenge question system is concerned with providing a user-friendly experience at the stages of both answer registration and subsequent answer presentation. Applicability The applicability criterion attempts to characterize the size of the target population for which a question might be applicable. Memorability An answer is memorable as long as the user is able to recall the answer. This generally implies that the answer would be personally significant. Information that is used frequently will be more memorable, indicating that answers reflecting the habits, activities, or practices of users provide suitable answers. Repeatability There are at least two aspects of answer repeatability to consider. First, answers should have few syntactic representations. For
  19. 19. Allidm.com Discovering Identity and Access Management Solutions Allidm Academy http://academy.allidm.com