Educause Security Discussion mailing list archives
Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 14 Feb 2012 11:29:50 -0500
We have a home grown system we were going to rewrite and then found that Oracle's OAAM product had a lot of the features we specified in the new design proposal in addition to giving us a way to deploy wide-spread enhanced authentication and risk based access control options so we're using that. We're early in the requirements validation and design phase so I don't have any documents for you. You can see the original design proposal we were using when contemplating a rewrite of the current system at: www.jmu.edu/computing/security/info/accountmgmt.ppt SCHALIP, MICHAEL wrote:
Are you using a specific product or suite to do this? Or is this all homegrown? Have you put your whole process down on paper yet?.....(something we're struggling with - and anxious to see what others have done....and documented....) Thanks, Michael -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn Sent: Tuesday, February 14, 2012 8:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches We're currently using question/answer pairs but we're implementing a new system that can support out of band email and cellphone confirmation if we choose to enable it. Lots of policy and procedure discussions remain though. We've also been talking about various fall-back scenarios when questions, cellphones, tokens, and other self-service means fail. In the non-cyber world, we identify people by looking at their faces and identity cards. In the age of the internet and widespread webcams on almost every device, why not have a person wanting to prove their identity call the helpdesk while in front of a web cam. The helpdesk would have access to a database of peoples' pictures. The helpdesk would ask the individual to hold up their ID in front of the camera. A 'wiggle two fingers' or similar request could confirm a live image. The ID couldn't be verified as closely for tampering but I'd think the process would still be more accurate than question/answer pairs. It puts some responsibility on the helpdesk staff but they'd be doing more or less the same thing if the person was at the desk in person. Thoughts?
-- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Self-service password reset approaches, (continued)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Burton, Abigail F (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Gary Flynn (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches SCHALIP, MICHAEL (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Mark Borrie (Feb 16)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 21)
- Re: Self-service password reset approaches randy marchany (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Steve Werby (Feb 20)