Re: Self Service Password Reset

["Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>]

We are in the process of doing exactly the same thing.  We are rolling the
functionality out in phases to best accommodate several groups on campus
that have different needs/timetables.  The reset process  will require
answering a few security questions as well as using a OTP sent to their
(non-Creighton) email or cell phone via SMS.  They will then be able to
create a new password.  This is an improvement on the old process which
required the person to know the ISO number on their ID card (this number is
different than the username they use to logon, and isn't based on ssn or
anything).  The process then reset the password to a predefined standard
that involved the SSN.

> 1. Do we want to force users to register their profile and if so, what is
> the best approach for doing so?
Initially, we are not forcing anyone to do anything.  Existing people can
log into our account management system and set up their profile at any time.
Eventually (once we have things ironed out with HR and admissions), anyone
who gets an account in the domain (AD) will have to register a profile to
activate their account

> 2. Is the forced registration different for existing and new faculty?  Is it
> different for existing and new students?
The registration will not be forced for existing accounts, staff, or
faculty.  All new staff/faculty/students will go through the exact same
process, though that may change in the future as we may add other
HR/admissions processes into this step..

> 3. Should we force our new accounts to go through a registration workflow
> that includes creating the profile?  Should we do the same for existing
> accounts?
We will be.  It makes the most sense to ensure the most seamless experience
for the users.


> One of the most discussed topic, was the "How is someone going to use the
> self service password reset if they can't even logon to a PC to begin with?"
All the things you describe are valid ways to do it.  We don't provide any
special mechanism at this point, though it really hasn't been much of an
issue here either.  I'm sure there are companies that will sell you modified
gina modules to enable a self-service reset if that was really important.

On 2/4/09 12:10 PM, "Di Fabio, Andrea" <adifabio () NSU EDU> wrote:

> Experts,
>
> I am seeking your feedback on how to implement Self Serice Password Reset.
> We have just finished the development and testing of a in house, web based
> password reset program.  We are now looking at how to deploy it and are
> seeking feedback from institutions that already have experience with it.
>
> Here some of the questions that we discussed and to which we are seeking
> feedback.
>
> 1. Do we want to force users to register their profile and if so, what is
> the best approach for doing so?
> 2. Is the forced registration different for existing and new faculty?  Is it
> different for existing and new students?
> 3. Should we force our new accounts to go through a registration workflow
> that includes creating the profile?  Should we do the same for existing
> accounts?
>
> One of the most discussed topic, was the "How is someone going to use the
> self service password reset if they can't even logon to a PC to begin with?"
> We do not have MS programmers capable of rewriting the GINA and personally I
> would not feel comfortable pushing an in-house built GINA campus-wide.  Some
> of the suggestions ranged from creating a guest account, using kiosks, using
> your neighbor's PC, dedicating some PC in the labs to calling the helpdesk
> as the last resort.
>
> Any thoughts, ideas, comments, suggestions?
>
> Thanks.

sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0

Attachment: smime.p7s
Description: