Re: Self Service Password Reset

["Schumacher, Adam J." <adamschumacher () CREIGHTON EDU>]

That is why we went with the two factor approach, to mitigate against a guessing attack.  Most everyone has at least 
either a cell phone or a second email address.  Of course, if they've used the same easily guessed questions for their 
external email password reset....

::Adam

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shawn Kohrman
> Sent: Thursday, July 05, 2012 17:47
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Self Service Password Reset
>
> Excellent point Adam.  The particular case we were considering with this
> question was our high level people (provost, president, etc).  Namely, what
> would happen if someone were able to answer the challenge questions and
> take over their account.  How much damage could be caused in such an
> instance.  Granted, the likelihood of that happening is very low, but still...
>
> I wanted to ask the question to determine if we were being overzealous on
> this particular point.  Thanks!
>
> Shawn
>
> -----
> Shawn A. Kohrman, Security Architect
>
>
> Azusa Pacific University
> Information & Media Technology
> 901 E. Alosta Ave., PO Box 7000
> Azusa, CA 91702-7000
>
> P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
> -----
>
>
>
> On Thu, Jul 5, 2012 at 3:37 PM, Schumacher, Adam J.
> <adamschumacher () creighton edu> wrote:
>
>
>       Maybe I am missing something obvious, but why would you want to
> exclude users from being able to reset their own password?  Our self-service
> requires "multi-factor" authentication (answer security questions & access to
> external email account or cell phone), and unless the user has not provided
> the required information (or doesn't remember what it was), she should be
> able to reset the password.  We encourage this as much as possible, as it
> reduces the load on the HD.  Even if the customer calls the help desk and
> needs some kind of manual intervention (forgot answers, never set it up,
> etc), they will walk her through setting up and using the self-service tools so
> that next time maybe she will not need to call.
>
>       ::Adam
>
>
>       > -----Original Message-----
>       > From: The EDUCAUSE Security Constituent Group Listserv
>       > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shawn
> Kohrman
>       > Sent: Tuesday, July 03, 2012 15:32
>       > To: SECURITY () LISTSERV EDUCAUSE EDU
>       > Subject: [SECURITY] Self Service Password Reset
>       >
>       > For those of you who have self service password reset tools, do
> you maintain
>       > a list of users who are excluded from using the tool?  If so, how did
> you go
>       > about establishing your criteria?
>       >
>       > Shawn
>       >
>       > -----
>       > Shawn A. Kohrman, Security Architect
>       >
>       >
>       > Azusa Pacific University
>       > Information & Media Technology
>       > 901 E. Alosta Ave., PO Box 7000
>       > Azusa, CA 91702-7000
>       >
>       > P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
>       > -----