Educause Security Discussion mailing list archives
Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches
From: "SCHALIP, MICHAEL" <mschalip () CNM EDU>
Date: Tue, 14 Feb 2012 09:08:13 -0700
Are you using a specific product or suite to do this? Or is this all homegrown? Have you put your whole process down on paper yet?.....(something we're struggling with - and anxious to see what others have done....and documented....) Thanks, Michael -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn Sent: Tuesday, February 14, 2012 8:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches We're currently using question/answer pairs but we're implementing a new system that can support out of band email and cellphone confirmation if we choose to enable it. Lots of policy and procedure discussions remain though. We've also been talking about various fall-back scenarios when questions, cellphones, tokens, and other self-service means fail. In the non-cyber world, we identify people by looking at their faces and identity cards. In the age of the internet and widespread webcams on almost every device, why not have a person wanting to prove their identity call the helpdesk while in front of a web cam. The helpdesk would have access to a database of peoples' pictures. The helpdesk would ask the individual to hold up their ID in front of the camera. A 'wiggle two fingers' or similar request could confirm a live image. The ID couldn't be verified as closely for tampering but I'd think the process would still be more accurate than question/answer pairs. It puts some responsibility on the helpdesk staff but they'd be doing more or less the same thing if the person was at the desk in person. Thoughts? -- Gary Flynn Security Engineer James Madison University -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- Re: Self-service password reset approaches, (continued)
- Re: Self-service password reset approaches Theresa Rowe (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Burton, Abigail F (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Gary Flynn (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches SCHALIP, MICHAEL (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Mark Borrie (Feb 16)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 21)
- Re: Self-service password reset approaches randy marchany (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Steve Werby (Feb 20)