Educause Security Discussion mailing list archives
Password reset options for single sign-on
From: Boaz Gelbord <GelbordB () NEWSCHOOL EDU>
Date: Tue, 24 Oct 2006 16:48:43 -0400
Hi all, We're migrating to a single-sign on for our web portal and mail, and are considering the issue of how to securely have a reset password function. Users frequently need to reset their passwords because they have forgotten them. The current Novell eDirectory system we are using allows us to ask reset questions like "What is your mother's maiden name?", but we are concerned about the security risks involved here, especially since the single sign-on will allow students access to both their email and a lot of personal information. Some of the alternative options we are considering are: - Asking a series of questions instead of just one. - Forcing users to choose a secret PIN to be used for password resets. - Asking users for other information such as the last few digits of their SSN (this will be technically difficult and not all students have a SSN). - Sending password reset instructions to a seconday email address or by SMS to cell phones (difficult because not all students have another email address or cell phone number) I'd be very interested in knowing how other institutions are dealing with this issue. Thanks very much, Boaz Gelbord Manager of Information Security The New School 55 West 13th Street NYC 10011 www.newschool.edu
Current thread:
- Password reset options for single sign-on Boaz Gelbord (Oct 24)
- <Possible follow-ups>
- Re: Password reset options for single sign-on Hunt,Keith A (Oct 24)