Educause Security Discussion mailing list archives
Re: Authentication of remote users
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Fri, 4 Jan 2008 08:45:19 -0500
Oops, you might need to change the link from https to http. Sorry about that. Doug Markiewicz wrote:
A phone call to the Help Desk could just as easily give you the same information so I see no issue with documenting this. Plus there's that whole security through obscurity argument if you really want to play devil's advocate. :-) For local students, we recommend not resetting passwords unless they're physically present at the Help Center to show photo identification. For remote students, we recommend the student fax a copy of their photo id. As an alternative for remote staff we suggest confirming the password reset request with that person's manager. None of these are full proof but thats the way it goes sometimes. We document these recommendations in our password management guidelines. See "Always verify a user’s identity before resetting a password" https://www.cmu.edu/iso/governance/guidelines/password-management.html We do not have a policy on this specifically. We are getting ready to revamp our data classification and in the next iteration, account passwords will be included. Then all your usual policies on protection of data apply (e.g. access to sensitive data types must be authenticated).
Current thread:
- Re: Authentication of remote users, (continued)
- Re: Authentication of remote users Robert Paterson (Jan 03)
- Re: Authentication of remote users Scott Koger (Jan 03)
- Re: Authentication of remote users Tom Peterson (Jan 03)
- Re: Authentication of remote users Chris Vakhordjian (Jan 03)
- Re: Authentication of remote users Joel Rosenblatt (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users charlie derr (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users Cal Frye (Jan 03)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)
- Re: Authentication of remote users Hunt,Keith A (Jan 04)
- Re: Authentication of remote users Jim Dillon (Jan 04)
- Re: Authentication of remote users Joel Rosenblatt (Jan 04)
- Re: Authentication of remote users Valdis Kletnieks (Jan 04)