[LINK] Medicare "security"
David Lochrin
lochrin-01 at d2.net.au
Fri Sep 12 14:41:09 AEST 2008
> Oh my! David, I'm on a consulting panel for AGOSP which is proposing
> to use this exact same security strategy of five questions. They've had
> mixed response in focus groups. May I share your reaction with the
> group working on this? I can do it anonymously if you'd like.
Feel free, Jan. But please delete that last paragraph criticising the
development team before you do!
I think personal questions are probably fine for verbal interactions,
but not in this context. Much obviously depends on the user base
(general public, within an organisation, small, large) and the
sensitivity of the data.
The Medicare website asks for initial authentication using a Medicare
number and password and a second authentication later using a subset of
the five personal questions, which indicates they don't have much faith in
the first. IMO it would be better to improve the initial login if
necessary, however a simple userid/password has apparently proven
adequate for the banks in the past. A token ("something you have") in
addition to a userid & password ("something you know") is very much better
again.
David
(PS: Jan, sorry for the duplicate post - I'm using an unfamiliar webmail!)
More information about the Link
mailing list