I went online recently and for kicks typed in my grandfather's name. I found a full geneology of his family. If I knew your name, it might not be so hard to find out your grandmother's maiden name.

While I certainly like the 'challenge question' approach to customer authentication, it certainly is not without it's pitfalls. Most of my friends can accurately name my favorite food, my cats' names, my favorite sports team, and even how I like my coffee!

So we then go into the territory of either a random word, or a series of random letters/numbers/symbols (much like some of your more hacker-resistent passwords.)

Problem is, what do you do when your customer forgets the secret password. And you KNOW it's going to happen!

With respect to Grandmother's maiden name, the customer, theoretically, has two choices - maternal grandmother or paternal grandmother. There are no easy answers to this.

Heck - even biometrics is not fool proof and could lend itself to the infliction of serious bodily harm (or so some grisly scenes in a number of Sci-Fi movies would have you believe...)

I try to help customers to remember their passwords, but they e-mail us immediately after signing up wanting to know what they put in as a username and password.

Here is an excerpt from one of my Web pages: When creating passwords and PINs (personal identification numbers) do not use any part of your Social Security number, birth date, middle name, wife's name, child's name, pet's name, mother's maiden name, address, consecutive numbers, or anything that a thief could easily deduce or discover.
Use a mnemonic to form a password. As an example, “1TqBfJoTlD2” might be hard to remember, but it would be an effective password. It is long, alpha-numeric, upper and lowercase. But all we did was put a “1” and a “2” around alternating upper- and lowercase letters from “The Quick Brown Fox Jumped Over The Lazy Dog”. Certainly a favorite song or book tile, catch phrase, etc would work here as well.

And while those sci-fi type inventors create better mouse traps, bad guys do keep up. The better fingerprint scanners even detect temperature so that if the digit is removed for later use, they won't get access.

Remember when you didn't have to lock your door? Now we have to secure everything.

I know we seem to have strayed from the original topic, but I recently had to call my online banking provider and I was very satisfied with the steps they took to identify me. Besides asking my name, address, phone number, user name, and password; they asked me to identify three transactions that had posted to my account during the current statement period. I can imagine that the average customer would have gotten fed up and ticked off with the questions they asked, but I was happy that they were taking such steps to make sure it was me they were speaking to.

In reply to:

---

The better fingerprint scanners even detect temperature so that if the digit is removed for later use, they won't get access.

---

So what's to keep the bad guys from keeping that digit (or retina!) in a thermal preservative solution that would fool the heat sensor?

Growing up in L.A., I NEVER knew a time when I could leave the door unlocked! Even today, I notice if a car has been following me for more than 2 direction changes!

We, too, have a "unique identifier" that a customer can select - to be anything (clean) they want it to be. It's not required (yet) but has been helpful in identifying those customers who don't want to give us the last 4 digits of their TIN.