Microsoft Identity Lifecycle Manager "2:" Careful of how you use those question-and-answer gates

  • Article

One of the features of Microsoft Identity Lifecycle Manager "2" is self-service password re-set.  That feature sits on top of a generic facility of the Microsoft Identity Lifecycle Manager service that provides for multi-factor authentication. 

To explain, one can define any number of management policy rules in Microsoft Identity Lifecycle Manager "2," each of which may apply, according to your choice, to a narrow or a broad a variety of operation that users may attempt to perform.  Among other things, those rules may specify whether additional confirmation of the user's identity is necessary before permitting them to perform the operation.  In Microsoft Identity Lifecycle Manager "2" that addtional confirmation will always be in addition to a Kerberos token identifying whoever it was that initiated the operation.  If additional confirmation is required, then the management policy rule will identify the definition of a authentication workflow that must complete successfully before the requested operation willbe allowed to proceed.  An authentication workflow will typically incorporate one or more activities for obtaining additional confirmation of the identity of whoever requested the operation, confirmation that could cover any number of authentication factors. 

Microsoft Identity Lifecycle Manager "2" ships with one type of activity for corroborating identity: a question-and-answer activity.  If one was to use that activity as a means for corroborating the identity of someone attempting to re-set their password, then that activity would present questions to the user for which the user would have previously provided the answers, during the process of registering to use the password re-set facility.  So, for instance, the user might be confronted by any number of questions to confirm their identity, such as their mother's maiden name, the city of their birth, the make of their first car, and so on. 

Now, as you may have read, a person was arrested last week for breaking into U.S. vice-presidential candidate Sarah Palin's Yahoo e-mail account.  He is accused, apparently, of re-setting the password on the account, and publishling the new password on the Web, among other misdeeds.  The account's privacy was protected by question-and-answer authentication gates.  The lesson here is that if you are public figure, especially one as a visible as a candidate for U.S. federal executive office, then one will be afforded precious little protection by question-and-answer gates.  While most people will not know the answers to even a few commonplace questions about your life and mine, unfortunately, if you are a candidate for high office in a democracy with a free press, then anybody will be able to ascertain the answers to those same questions, in your case.