Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password reset options for single sign-on

From: "Hunt,Keith A" <keith () UAKRON EDU>
Date: Tue, 24 Oct 2006 17:21:49 -0400
 

Hi all,

We're migrating to a single-sign on for our web portal and 
mail, and are considering the issue of how to securely have a 
reset password function.  Users frequently need to reset 
their passwords because they have forgotten them.

The current Novell eDirectory system we are using allows us 
to ask reset questions like "What is your mother's maiden 
name?", but we are concerned about the security risks 
involved here, especially since the single sign-on will allow 
students access to both their email and a lot of personal information.

Some of the alternative options we are considering are:

- Asking a series of questions instead of just one.
- Forcing users to choose a secret PIN to be used for password resets.
- Asking users for other information such as the last few 
digits of their SSN (this will be technically difficult and 
not all students have a SSN).
- Sending password reset instructions to a seconday email 
address or by SMS to cell phones (difficult because not all 
students have another email address or cell phone number)

I'd be very interested in knowing how other institutions are 
dealing with this issue.  

Thanks very much,

Boaz Gelbord

Manager of Information Security
The New School
55 West 13th Street NYC 10011
www.newschool.edu 



In a nutshell, this is how we do it:

User must set up the challenge questions and answers in advance. Must
choose and answer six questions from our list and optionally one of her
own. (It's a bit of a tricky thing to provide questions that you expect
the user to remember without making them easily guessed.)


To use the system the user must provide network ID, first name, last
name and either SSN or university ID number. A session ID is created and
used to limit the entire process to 15 minutes. Three of the user's
questions are selected at random. Each must be answered correctly, one
question at a time. An incorrect answer locks the user out for 15
minutes. Three failed attempts locks the user out for good and he must
then contact the help desk for further assistance.

Notices of successful and unsuccessful attempts are sent to the user's
email address.

--
Keith Hunt  330.972.7968  keith () uakron edu
Internet & Server Systems 
The University of Akron
Previous By Date Next
Previous By Thread Next

Current thread: