Self-service password change authentication criteria

[Rob Tanner <rtanner () LINFIELD EDU>]

Hi,

When a student, staff or faculty member has either forgotten their password
or failed to change it by the expiry deadline, we have been using mother¹s
maiden name and SSN for authentication.  Unfortunately, not all students
have an SSN on file and we want to get away from using the SSN even if they
did.

What criteria are schools that do self-service using?  We¹ve thought about
looking for other pieces of information we already have on file that the
user is likely to remember about him or herself and we¹ve also thought about
using the two secret questions technique.  Are there other methods in common
use?  What is considered best practice in higher education?

Thanks,
Rob


Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon