Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Authentication of remote users

From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 4 Jan 2008 14:29:59 -0500
Joel Rosenblatt wrote:

The point of the ID card is that you just do a RESET of the id if they
present the card (Over the phone, by knowing the card number, or by fax)
- the ID is not active at that point, but put back to the initial
state.  It then requires them to know the proper secrets to re-activate it.


We also have the concept of a "reset" and its associated default
password made up of a concatenation of secrets. However, one of
those secrets is the last four digits of the SSN and we've been
given direction to eliminate any use of the SSN - in full or in
part. Birthdate has also been mentioned as taboo.

Do you use those secrets to make up the default password when
an account is "reset"?


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: