Educause Security Discussion mailing list archives
Re: Self Service Password Reset
From: "Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>
Date: Thu, 5 Feb 2009 10:27:19 -0600
We are in the process of doing exactly the same thing. We are rolling the functionality out in phases to best accommodate several groups on campus that have different needs/timetables. The reset process will require answering a few security questions as well as using a OTP sent to their (non-Creighton) email or cell phone via SMS. They will then be able to create a new password. This is an improvement on the old process which required the person to know the ISO number on their ID card (this number is different than the username they use to logon, and isn't based on ssn or anything). The process then reset the password to a predefined standard that involved the SSN.
1. Do we want to force users to register their profile and if so, what is the best approach for doing so?
Initially, we are not forcing anyone to do anything. Existing people can log into our account management system and set up their profile at any time. Eventually (once we have things ironed out with HR and admissions), anyone who gets an account in the domain (AD) will have to register a profile to activate their account
2. Is the forced registration different for existing and new faculty? Is it different for existing and new students?
The registration will not be forced for existing accounts, staff, or faculty. All new staff/faculty/students will go through the exact same process, though that may change in the future as we may add other HR/admissions processes into this step..
3. Should we force our new accounts to go through a registration workflow that includes creating the profile? Should we do the same for existing accounts?
We will be. It makes the most sense to ensure the most seamless experience for the users.
One of the most discussed topic, was the "How is someone going to use the self service password reset if they can't even logon to a PC to begin with?"
All the things you describe are valid ways to do it. We don't provide any special mechanism at this point, though it really hasn't been much of an issue here either. I'm sure there are companies that will sell you modified gina modules to enable a self-service reset if that was really important. On 2/4/09 12:10 PM, "Di Fabio, Andrea" <adifabio () NSU EDU> wrote:
Experts, I am seeking your feedback on how to implement Self Serice Password Reset. We have just finished the development and testing of a in house, web based password reset program. We are now looking at how to deploy it and are seeking feedback from institutions that already have experience with it. Here some of the questions that we discussed and to which we are seeking feedback. 1. Do we want to force users to register their profile and if so, what is the best approach for doing so? 2. Is the forced registration different for existing and new faculty? Is it different for existing and new students? 3. Should we force our new accounts to go through a registration workflow that includes creating the profile? Should we do the same for existing accounts? One of the most discussed topic, was the "How is someone going to use the self service password reset if they can't even logon to a PC to begin with?" We do not have MS programmers capable of rewriting the GINA and personally I would not feel comfortable pushing an in-house built GINA campus-wide. Some of the suggestions ranged from creating a guest account, using kiosks, using your neighbor's PC, dedicating some PC in the labs to calling the helpdesk as the last resort. Any thoughts, ideas, comments, suggestions? Thanks.
sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 1a72637cf94189654ab1a827520a5e41738f41b0
Attachment:
smime.p7s
Description:
Current thread:
- Self Service Password Reset Di Fabio, Andrea (Feb 04)
- <Possible follow-ups>
- Re: Self Service Password Reset Cal Frye (Feb 04)
- Re: Self Service Password Reset Andrew Calcutt (Feb 04)
- Re: Self Service Password Reset Schumacher, Adam J (Feb 05)