Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches

["SCHALIP, MICHAEL" <mschalip () CNM EDU>]

Are you using a specific product or suite to do this?  Or is this all homegrown?  Have you put your whole process down 
on paper yet?.....(something we're struggling with - and anxious to see what others have done....and documented....)

Thanks,

Michael

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
Flynn
Sent: Tuesday, February 14, 2012 8:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches

We're currently using question/answer pairs but we're implementing a
new system that can support out of band email and cellphone confirmation
if we choose to enable it. Lots of policy and procedure discussions remain
though.

We've also been talking about various fall-back scenarios when
questions, cellphones, tokens, and other self-service means fail.

In the non-cyber world, we identify people by looking at their faces and
identity cards.

In the age of the internet and widespread webcams on almost every
device, why not have a person wanting to prove their identity call the
helpdesk while in front of a web cam. The helpdesk would have
access to a database of peoples' pictures. The helpdesk would ask the
individual to hold up their ID in front of the camera. A 'wiggle two
fingers' or similar request could confirm a live image.

The ID couldn't be verified as closely for tampering but I'd think the
process would still be more accurate than question/answer pairs. It
puts some responsibility on the helpdesk staff but they'd be doing
more or less the same thing if the person was at the desk in person.

Thoughts?

-- 
Gary Flynn
Security Engineer
James Madison University


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.