On Thu, Aug 07, 2008 at 08:53:58AM -0400, John Ioannidis wrote: > > Does anyone know how this "security questions" disease started, and why > it is spreading the way it is? If your company does this, can you find > the people responsible and ask them what they were thinking?
When I worked at DEC, in 1991, at least one internal purchasing system used this method of authentication. As a summer hire, I couldn't use it, but my boss had to authenticate this way whenever he made any major equipment order or transfer for our group. IIRC, it used personal data already available to DEC -- so they didn't have to ask their employees for it -- emergency contact phone numbers, names of other insured parties on their health care, license plates of cars authorized to park in the work lot, etc -- and asked a small number of random questions for each transaction. I thought it was pretty clever. I still do, actually. Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]