Re: Self-service password reset approaches

["Youngquist, Jason R." <jryoungquist () CCIS EDU>]

Is anyone using Acxiom (or a similar service) to perform identity verification and authentication?  This could probably 
be used for self-service password reset as well.  Ie. send a one-time link to a person via email and then they have to 
answer 4 out of 5 questions correct in order to verify who they are to change their password.

http://www.acxiom.com/Identity-Solutions/Verification-and-Authentication/

If so, I'd be interested in hearing how it works for you.

Thanks.
Jason Youngquist, CISSP
Information Technology Security Engineer
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu<mailto:jryoungquist () ccis edu>
http://www.ccis.edu<http://www.ccis.edu/>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Curry
Sent: Monday, February 06, 2012 8:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Self-service password reset approaches

It's been a few years since this has come up on the list, so here goes.

For various administrative reasons having nothing to do with security we need to make some big changes to our 
self-service password reset approach, and I'm trying to capitalize on the opportunity to improve its security at the 
same time. At the moment, we do what (we think) many other schools do -- provide student id number, netid (username), 
and date of birth, and you can reset your password. The problem with this is, of course, it was never that hard to come 
up with that information in the first place, and the combination of students doing more and more stuff online and the 
growing use of social media makes it just that much easier.

So... what other approaches are you taking?

There is of course the "pick a few security questions" approach. But it's hard to come up with a set of questions whose 
answers aren't trivial to guess (either because they have little if any entropy or because the answer is on Facebook). 
And if you do manage to come up with a set of hard questions, people can't remember what their answers were. Do you use 
this approach? If so, how have you addressed these problems?

We've been tossing around the idea of using something similar to the "email confirmation" links you see many forum-type 
websites use. In this approach, we would ask the user for some identifying information (netid, student id number, etc.) 
and then look up the email addresses we have on file. The user could choose any non-university email address in the 
list, and we would send a randomly-generated URL to that account, which the user could then click on to reset his/her 
password. Users for whom we have no alternative email on file (or for whom all the ones we have on file are "no good") 
would have to call the help desk. Does anybody use an approach like this? How well is it working (or not working)?

Any other "interesting" approaches out there?

Thanks,
--Dave



--

DAVID A. CURRY, CISSP * DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL * 55 W. 13TH STREET * NEW YORK, NY 10011

+1 212 229-5300 x4728 * david.curry () newschool edu<mailto:david.curry () newschool edu>