Educause Security Discussion mailing list archives
Re: AD self service password reset ?
From: Dawn Mallyon <dawn_mallyon () HITACHI-ID COM>
Date: Thu, 10 Mar 2011 13:15:00 -0700
Disclaimer: I'm with a vendor in this space, but I am not pitching any products or services in this message.
What I'd like to raise are some design and architecture questions that you may want to consider when selecting (or developing) a password reset solution.
In no particular order:* Does it depend on a particular type of endpoint device? For example, can a user access it from just a Windows PC? What about a Mac? Linux laptop? iPad? Smart phone?
* Does it require the endpoint device to be a domain-member PC? This might be problematic for students, depending on your IT environment.
* Will you offer self-service to users who are locked out of their PC (i.e., launch from the login screen), or is a purely web solution adequate?
* If you do need to unlock users who forgot the main password for their domain-member Windows PC, do you also have to offer service when they are off-campus? Over WiFi? Over a tethered mobile connection?
* On the topic of AD domains - how many domains do you have, and do you need a solution that works across domains, preferably without trust relationships?
* Do you want to offer a telephony solution? * How will you authenticate users who forget their password?* Is the same authentication process appropriate for every class of user? For example, is the level of security you need to deploy to protect student logins the same as the level of security for admin staff? For instructors? For research staff?
* If you will use security questions as a part of the authentication process, have you thought about how to enroll this data, or is pre-existing data sufficiently secure?
* Have you considered using mobile phones as authentication devices? If so, have you thought about where to get mobile numbers for every user?
* Have you considered using biometrics (voice print is a good example) as a non-password authentication factor? If so, again, have you considered enrollment strategy?
* Do you only need to reset passwords on AD, or are there other systems and applications where managing passwords would make sense? (e.g., LDAP, Unix/Linux servers, NIS/NIS+, mainframes, Banner or PeopleSoft, etc.).
* If you will use security questions -- where will you store them and how will you encrypt or hash them?
* If you will use security questions, what happens if a user enrolls his answers one way but authenticates another way (e.g., change of spelling, mixed case, different punctuation or some other human inconsistency)?
If you have any questions or would like to continue this discussion, please contact me offline.
Regards, dm dawn_mallyon () hitachi-id com On 07/03/2011 8:43 AM, Witmer, Robert wrote:
Anyone using a (shrink wrapped) AD self service password reset utility for student, staff, & faculty accounts that would be willing to share experiences, thoughts, etc? Does it work with single sign on? If so, home grown or shrink wrapped? Please contact me off-list if desired.Regards, Bob r.witmer () snhu edu Please consider the environment before printing this e-mail.
Current thread:
- Firewall replacement, (continued)
- Firewall replacement Kellogg, Brian D. (Mar 07)
- Re: Firewall replacement schilling (Mar 07)
- Re: Firewall replacement Entwistle, Bruce (Mar 07)
- Re: Firewall replacement Dexter Caldwell (Mar 07)
- Re: Firewall replacement King, Ronald A. (Mar 07)
- Re: Firewall replacement Jeff Kell (Mar 07)
- Re: AD self service password reset ? Russ Leathe (Mar 07)
- Re: AD self service password reset ? Gallese, Brady T. (Mar 07)
- Re: AD self service password reset ? Chris Green (Mar 07)
- Re: AD self service password reset ? Francis, Greg (Mar 16)
- Re: AD self service password reset ? Rich Graves (Mar 17)