Re: Authentication of remote users

[Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>]

> Forgive me for injecting what I think ought to be sort of obvious.
>
>
> It seems to me that having a written policy that's eagerly shared is
> sort of defeating the purpose (as it ends up providing a blueprint on
> how to hijack an account if you're an attacker who comes across it).

A phone call to the Help Desk could just as easily give you the same information so I see no issue with documenting 
this.  Plus there's that whole security through obscurity argument if you really want to play devil's advocate.  :-)

For local students, we recommend not resetting passwords unless they're physically present at the Help Center to show 
photo identification.  For remote students, we recommend the student fax a copy of their photo id.  As an alternative 
for remote staff we suggest confirming the password reset request with that person's manager.  None of these are full 
proof but thats the way it goes sometimes.  We document these recommendations in our password management guidelines.

See "Always verify a user’s identity before resetting a password"
https://www.cmu.edu/iso/governance/guidelines/password-management.html

We do not have a policy on this specifically.  We are getting ready to revamp our data classification and in the next 
iteration, account passwords will be included.  Then all your usual policies on protection of data apply (e.g. access 
to sensitive data types must be authenticated).