I believe this additional step is for anti-phishing. It is for the site to verify its authenticity to the user, not for the user to verify their authenticity to the site. The step to require them to select the correct one is to make sure they are actively verifying the image, and not ignoring it. I am not an expert on this technique or on your Security Office though, so I may be wrong.
From: Bryan Wooten [mailto:[email protected]] Sent: Thursday, October 16, 2014 9:22 AM To: [email protected] Subject: [cas-user] Has anybody done this? I heard a rumor today that our Security Office wants to change how CAS works. The want the user's to pre-select a picture, then add a caption to it. When the user enters their netid they will be presented with multiple pictures and must select the correct one before being prompted for their password. I know this can be done via web flow in the same way that MFA works, but this just seems so wrong. I'd rather force everyone to use MFA. Bryan Wooten UIT-Common Infrastructure Systems -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
