Password reset options for single sign-on

[Boaz Gelbord <GelbordB () NEWSCHOOL EDU>]

Hi all,

We're migrating to a single-sign on for our web portal and mail, and
are considering the issue of how to securely have a reset password
function.  Users frequently need to reset their passwords because they
have forgotten them.

The current Novell eDirectory system we are using allows us to ask
reset questions like "What is your mother's maiden name?", but we are
concerned about the security risks involved here, especially since the
single sign-on will allow students access to both their email and a lot
of personal information.

Some of the alternative options we are considering are:

- Asking a series of questions instead of just one.
- Forcing users to choose a secret PIN to be used for password resets.
- Asking users for other information such as the last few digits of
their SSN (this will be technically difficult and not all students have
a SSN).
- Sending password reset instructions to a seconday email address or by
SMS to cell phones (difficult because not all students have another
email address or cell phone number)

I'd be very interested in knowing how other institutions are dealing
with this issue.

Thanks very much,

Boaz Gelbord

Manager of Information Security
The New School
55 West 13th Street NYC 10011
www.newschool.edu