Educause Security Discussion mailing list archives

Re: Password - User Self Service Resets?

From: Dick Jacobson <Dick.Jacobson () NDSU NODAK EDU>
Date: Wed, 16 Mar 2005 09:16:14 -0600

On Tue, 15 Mar 2005, m-powe wrote:

My understanding is you can ask them for the SSN as long as you tell them
they do not have to give it to you and what the result of them not giving
it will be.

We are currently deploying a system that asks for the Date-of-Birth, the
SSN and the resonse to a question they have previously provided.  The
question is one of some really simple ones we have provided or one of
their choosing.  We kept our sample questions simple enough so I expect
most people to select their own questions.

Also, at the first screen we tell the person if they do not want to give
their SSN they can present their picture id at their campus Help Desk for
assistance.

Because of the geographic distribution of our system (11 campuses
throughout the state) and the growing Distance-Ed issues, we have had a
call for this service for some time and HOPE we have examined all the
issues involved.

I would discourage the use of the SSN for authenticating the person or
using any part of the SSN for the reset password.  You can ask people to
volunteer their SSN, but I do not believe you can require it for this
business purpose.

It's an issue for us, too, and we're moving toward collecting other
data to aid in the authentication process.

Mark


Mark M. Powell
Office of Information Technology
OIT Data Security
University of Minnesota
1300 S. 2nd Street, Room 548e
Minneapolis, MN 55454

612-625-8598
952-237-0306 (cell)
612-625-0303 (fax)
http://www.umn.edu/datasec/security
Passwords are like toothbrushes--change them often and don't share
them.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.


--

-----------------------------------------------------------------------
Dick Jacobson                   e-mail : Dick.Jacobson () ndsu NoDak edu
ND HECN MultiUser Host SysAd    office : IACC 206, NDSU
NDUS IT Security Officer        phone  : 701-231-7385
-----------------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Password - User Self Service Resets? m-powe (Mar 15)
- <Possible follow-ups>
- Re: Password - User Self Service Resets? Dick Jacobson (Mar 16)
- Re: Password - User Self Service Resets? Jimmy L. Fikes (Mar 16)
- Re: Password - User Self Service Resets? Dave Koontz (Mar 16)