Educause Security Discussion mailing list archives
Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches
From: Mark Borrie <mark.borrie () OTAGO AC NZ>
Date: Fri, 17 Feb 2012 11:54:19 +1300
Which Oracle OAAM product I wonder? We are currently attempting to implement Oracles latest (sorry I don't have the version number) self service offering the Oracle Identity Manager. It does not even come close to achieving what Oracle claims.
The configuration options are very limited and the interface is poorly written. Things like questions and answers do not even line up on screen. For instance we configured the product to get users to answer 6 questions with the idea that they would be offered 3 during a reset. Earlier versions did this but the current version offers all 6 to users. We have been constantly finding major bugs in the product.
We had to compromise on so many of our password management requirements that when we finally got to test the final offering, our office recommended that we did not proceed with the role out of the self service component. I understand that the deployment team is reasonably happy with the back end components.
My current thoughts are to implement another password reset product and tie that into Oracle's OIM. Has anyone done this or have any recommendation for self service products?
As far as questions go we utilised a student intern to come up with a set of questions that would be relevant to younger people. As part of that we test drove them to see if users could remember the answers by getting them to re-answer the questions a couple of months later. This resulted in some questions getting rewritten or dropped.
Mark On 15/02/2012 5:29 a.m., Gary Flynn wrote:
We have a home grown system we were going to rewrite and then found that Oracle's OAAM product had a lot of the features we specified in the new design proposal in addition to giving us a way to deploy wide-spread enhanced authentication and risk based access control options so we're using that. We're early in the requirements validation and design phase so I don't have any documents for you. You can see the original design proposal we were using when contemplating a rewrite of the current system at: www.jmu.edu/computing/security/info/accountmgmt.ppt SCHALIP, MICHAEL wrote:Are you using a specific product or suite to do this? Or is this all homegrown? Have you put your whole process down on paper yet?.....(something we're struggling with - and anxious to see what others have done....and documented....)Thanks, Michael -----Original Message-----From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary FlynnSent: Tuesday, February 14, 2012 8:31 AM To: SECURITY () LISTSERV EDUCAUSE EDUSubject: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approachesWe're currently using question/answer pairs but we're implementing a new system that can support out of band email and cellphone confirmationif we choose to enable it. Lots of policy and procedure discussions remainthough. We've also been talking about various fall-back scenarios when questions, cellphones, tokens, and other self-service means fail. In the non-cyber world, we identify people by looking at their faces and identity cards. In the age of the internet and widespread webcams on almost every device, why not have a person wanting to prove their identity call the helpdesk while in front of a web cam. The helpdesk would have access to a database of peoples' pictures. The helpdesk would ask the individual to hold up their ID in front of the camera. A 'wiggle two fingers' or similar request could confirm a live image. The ID couldn't be verified as closely for tampering but I'd think the process would still be more accurate than question/answer pairs. It puts some responsibility on the helpdesk staff but they'd be doing more or less the same thing if the person was at the desk in person. Thoughts?
-- Mark Borrie Information Security Manager, Information Technology Services, University of Otago, Dunedin, N.Z. Ph +64 3 479-8395, Fax +64 3 479-8813
Current thread:
- Re: Self-service password reset approaches, (continued)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Burton, Abigail F (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Gary Flynn (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches SCHALIP, MICHAEL (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Mark Borrie (Feb 16)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 21)
- Re: Self-service password reset approaches randy marchany (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Steve Werby (Feb 20)