Re: Self-service password reset approaches

[Gary Flynn <flynngn () JMU EDU>]

We're currently using question/answer pairs but we're implementing a
new system that can support out of band email and cellphone confirmation
if we choose to enable it. Lots of policy and procedure discussions remain
though.

We've also been talking about various fall-back scenarios when
questions, cellphones, tokens, and other self-service means fail.

In the non-cyber world, we identify people by looking at their faces and
identity cards.

In the age of the internet and widespread webcams on almost every
device, why not have a person wanting to prove their identity call the
helpdesk while in front of a web cam. The helpdesk would have
access to a database of peoples' pictures. The helpdesk would ask the
individual to hold up their ID in front of the camera. A 'wiggle two
fingers' or similar request could confirm a live image.

The ID couldn't be verified as closely for tampering but I'd think the
process would still be more accurate than question/answer pairs. It
puts some responsibility on the helpdesk staff but they'd be doing
more or less the same thing if the person was at the desk in person.

Thoughts?

--
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature