Educause Security Discussion mailing list archives
Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 21 Feb 2012 10:08:13 -0500
Mark Borrie wrote:
Which Oracle OAAM product I wonder? We are currently attempting to implement Oracles latest (sorry I don't have the version number) self service offering the Oracle Identity Manager. It does not even come close to achieving what Oracle claims.
OIM is their provisioning product. OIM has been used in our provisioning process for a number of years. We chose not to use its self-service functionality and depend upon
a custom portal for that.OAM is their access control product, mostly for web applications. Agents on protected web resources redirect requests to the OAM server where the identity and requested URL and other parameters (e.g. IP address) is compared to policy and access granted accordingly; perhaps requiring things like 2-factor or certificate based authentication. This offers a central place for integrating such things. We will be implementing that along with
OAAM.OAAM is their "adaptive security" and risk product. Using it, a login or self-service portal can make calls to check for and initiate required authentication types based on configured policy (e.g. person X logging in from location Y on device Z attempting to perform transaction A needs OOB cellphone OTP and visual keyboard for password entry).
OAAM was purchased as it provides functionality we didn't want to write inour accounts portal replacement project and adds the potential for offering enhanced authentication options to a wide audience and advanced risk based authorization decisions.
The product set that makes up their identity management related options are quite confusing. Oracle purchased all the products from different companies and they have some functionality overlap. For example, all three have some form of provisioning or enrollment capabilities. All three have some form of self-service capabilities though none met our desires out of the box. Ergo, we're developing custom login and self-service
portals as the front end to OAM/OAAM/OIM.In addition to OIM, OAM, and OAAM, the identity management set of products also
includes OID, OVD, OUD, OIF, and OESSO. OMG :)
The configuration options are very limited and the interface is poorly written. Things like questions and answers do not even line up on screen. For instance we configured the product to get users to answer 6 questions with the idea that they would be offered 3 during a reset. Earlier versions did this but the current version offers all 6 to users. We have been constantly finding major bugs in the product.We had to compromise on so many of our password management requirements that when we finally got to test the final offering, our office recommended that we did not proceed with the role out of the self service component. I understand that the deployment team is reasonably happy with the back end components.My current thoughts are to implement another password reset product and tie that into Oracle's OIM. Has anyone done this or have any recommendation for self service products?As far as questions go we utilised a student intern to come up with a set of questions that would be relevant to younger people. As part of that we test drove them to see if users could remember the answers by getting them to re-answer the questions a couple of months later. This resulted in some questions getting rewritten or dropped.Mark On 15/02/2012 5:29 a.m., Gary Flynn wrote:We have a home grown system we were going to rewrite and then found that Oracle's OAAM product had a lot of the features we specified in the new design proposal in addition to giving us a way to deploy wide-spread enhanced authentication and risk based access control options so we're using that. We're early in the requirements validation and design phase so I don't have any documents for you. You can see the original design proposal we were using when contemplating a rewrite of the current system at: www.jmu.edu/computing/security/info/accountmgmt.ppt SCHALIP, MICHAEL wrote:Are you using a specific product or suite to do this? Or is this all homegrown? Have you put your whole process down on paper yet?.....(something we're struggling with - and anxious to see what others have done....and documented....)Thanks, Michael -----Original Message-----From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary FlynnSent: Tuesday, February 14, 2012 8:31 AM To: SECURITY () LISTSERV EDUCAUSE EDUSubject: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approachesWe're currently using question/answer pairs but we're implementing anew system that can support out of band email and cellphone confirmation if we choose to enable it. Lots of policy and procedure discussions remainthough. We've also been talking about various fall-back scenarios when questions, cellphones, tokens, and other self-service means fail.In the non-cyber world, we identify people by looking at their faces andidentity cards. In the age of the internet and widespread webcams on almost every device, why not have a person wanting to prove their identity call the helpdesk while in front of a web cam. The helpdesk would have access to a database of peoples' pictures. The helpdesk would ask the individual to hold up their ID in front of the camera. A 'wiggle two fingers' or similar request could confirm a live image. The ID couldn't be verified as closely for tampering but I'd think the process would still be more accurate than question/answer pairs. It puts some responsibility on the helpdesk staff but they'd be doing more or less the same thing if the person was at the desk in person. Thoughts?
-- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Self-service password reset approaches, (continued)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Burton, Abigail F (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Gary Flynn (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches SCHALIP, MICHAEL (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Mark Borrie (Feb 16)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 21)
- Re: Self-service password reset approaches randy marchany (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Steve Werby (Feb 20)