Educause Security Discussion mailing list archives
Re: Self Service Password Reset
From: "Schumacher, Adam J." <adamschumacher () CREIGHTON EDU>
Date: Thu, 5 Jul 2012 23:00:44 +0000
That is why we went with the two factor approach, to mitigate against a guessing attack. Most everyone has at least either a cell phone or a second email address. Of course, if they've used the same easily guessed questions for their external email password reset.... ::Adam
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shawn Kohrman Sent: Thursday, July 05, 2012 17:47 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Self Service Password Reset Excellent point Adam. The particular case we were considering with this question was our high level people (provost, president, etc). Namely, what would happen if someone were able to answer the challenge questions and take over their account. How much damage could be caused in such an instance. Granted, the likelihood of that happening is very low, but still... I wanted to ask the question to determine if we were being overzealous on this particular point. Thanks! Shawn ----- Shawn A. Kohrman, Security Architect Azusa Pacific University Information & Media Technology 901 E. Alosta Ave., PO Box 7000 Azusa, CA 91702-7000 P: 626.815.2054 | F: 626.815.2061 | http://www.apu.edu/ ----- On Thu, Jul 5, 2012 at 3:37 PM, Schumacher, Adam J. <adamschumacher () creighton edu> wrote: Maybe I am missing something obvious, but why would you want to exclude users from being able to reset their own password? Our self-service requires "multi-factor" authentication (answer security questions & access to external email account or cell phone), and unless the user has not provided the required information (or doesn't remember what it was), she should be able to reset the password. We encourage this as much as possible, as it reduces the load on the HD. Even if the customer calls the help desk and needs some kind of manual intervention (forgot answers, never set it up, etc), they will walk her through setting up and using the self-service tools so that next time maybe she will not need to call. ::Adam > -----Original Message----- > From: The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shawn Kohrman > Sent: Tuesday, July 03, 2012 15:32 > To: SECURITY () LISTSERV EDUCAUSE EDU > Subject: [SECURITY] Self Service Password Reset > > For those of you who have self service password reset tools, do you maintain > a list of users who are excluded from using the tool? If so, how did you go > about establishing your criteria? > > Shawn > > ----- > Shawn A. Kohrman, Security Architect > > > Azusa Pacific University > Information & Media Technology > 901 E. Alosta Ave., PO Box 7000 > Azusa, CA 91702-7000 > > P: 626.815.2054 | F: 626.815.2061 | http://www.apu.edu/ > -----
Current thread:
- Self Service Password Reset Shawn Kohrman (Jul 03)
- Re: Self Service Password Reset Schumacher, Adam J. (Jul 05)
- Re: Self Service Password Reset Shawn Kohrman (Jul 05)
- Re: Self Service Password Reset Schumacher, Adam J. (Jul 05)
- Re: Self Service Password Reset Gallese, Brady T. (Jul 05)
- Re: Self Service Password Reset Witmer, Robert (Jul 06)
- Re: Self Service Password Reset Shawn Kohrman (Jul 05)
- Re: Self Service Password Reset Gary Flynn (Jul 06)
- Message not available
- Re: Self Service Password Reset Dexter Caldwell (Jul 06)
- Re: Self Service Password Reset Schumacher, Adam J. (Jul 05)