Re: Self-service password change authentication criteria

[Gary Dobbins <dobbins () ND EDU>]

Or a cell phone number - text them a one-time reset URL.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, 
Brian
Sent: Monday, October 19, 2009 7:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Self-service password change authentication criteria


 When an account is setup, we allow students to specify an alternate e-mail address for password recovery.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob 
Tanner
Sent: Monday, October 19, 2009 3:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Self-service password change authentication criteria

Hi,

When a student, staff or faculty member has either forgotten their password or failed to change it by the expiry 
deadline, we have been using mother's maiden name and SSN for authentication.  Unfortunately, not all students have an 
SSN on file and we want to get away from using the SSN even if they did.

What criteria are schools that do self-service using?  We've thought about looking for other pieces of information we 
already have on file that the user is likely to remember about him or herself and we've also thought about using the 
two secret questions technique.  Are there other methods in common use?  What is considered best practice in higher 
education?

Thanks,
Rob


Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon