Educause Security Discussion mailing list archives
Re: Self-service password change authentication criteria
From: Gary Dobbins <dobbins () ND EDU>
Date: Mon, 19 Oct 2009 19:08:22 -0400
Or a cell phone number - text them a one-time reset URL. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian Sent: Monday, October 19, 2009 7:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Self-service password change authentication criteria When an account is setup, we allow students to specify an alternate e-mail address for password recovery. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob Tanner Sent: Monday, October 19, 2009 3:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Self-service password change authentication criteria Hi, When a student, staff or faculty member has either forgotten their password or failed to change it by the expiry deadline, we have been using mother's maiden name and SSN for authentication. Unfortunately, not all students have an SSN on file and we want to get away from using the SSN even if they did. What criteria are schools that do self-service using? We've thought about looking for other pieces of information we already have on file that the user is likely to remember about him or herself and we've also thought about using the two secret questions technique. Are there other methods in common use? What is considered best practice in higher education? Thanks, Rob Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon
Current thread:
- Self-service password change authentication criteria Rob Tanner (Oct 19)
- <Possible follow-ups>
- Re: Self-service password change authentication criteria Basgen, Brian (Oct 19)
- Re: Self-service password change authentication criteria Gary Dobbins (Oct 19)