Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches

From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 21 Feb 2012 10:08:13 -0500



Mark Borrie wrote:
Which Oracle OAAM product I wonder? We are currently attempting to implement Oracles latest (sorry I don't have the version number) self service offering the Oracle Identity Manager. It does not even come close to achieving what Oracle claims.
OIM is their provisioning product. OIM has been used in our provisioning process for a number of years. We chose not to use its self-service functionality and depend upon 
a custom portal for that.
OAM is their access control product, mostly for web applications. Agents on protected web resources redirect requests to the OAM server where the identity and requested URL and other parameters (e.g. IP address) is compared to policy and access granted accordingly; perhaps requiring things like 2-factor or certificate based authentication. This offers a central place for integrating such things. We will be implementing that along with 
OAAM.
OAAM is their "adaptive security" and risk product. Using it, a login or self-service portal can make calls to check for and initiate required authentication types based on configured policy (e.g. person X logging in from location Y on device Z attempting to perform transaction A needs OOB cellphone OTP and visual keyboard for password entry). 

OAAM was purchased as it provides functionality we didn't want to write in
our accounts portal replacement project and adds the potential for offering enhanced authentication options to a wide audience and advanced risk based authorization decisions.
The product set that makes up their identity management related options are quite confusing. Oracle purchased all the products from different companies and they have some functionality overlap. For example, all three have some form of provisioning or enrollment capabilities. All three have some form of self-service capabilities though none met our desires out of the box. Ergo, we're developing custom login and self-service 
portals as the front end to OAM/OAAM/OIM.
In addition to OIM, OAM, and OAAM, the identity management set of products also 
includes OID, OVD, OUD, OIF, and OESSO.

OMG :)
The configuration options are very limited and the interface is poorly written. Things like questions and answers do not even line up on screen. For instance we configured the product to get users to answer 6 questions with the idea that they would be offered 3 during a reset. Earlier versions did this but the current version offers all 6 to users. We have been constantly finding major bugs in the product.
We had to compromise on so many of our password management requirements that when we finally got to test the final offering, our office recommended that we did not proceed with the role out of the self service component. I understand that the deployment team is reasonably happy with the back end components.
My current thoughts are to implement another password reset product and tie that into Oracle's OIM. Has anyone done this or have any recommendation for self service products?
As far as questions go we utilised a student intern to come up with a set of questions that would be relevant to younger people. As part of that we test drove them to see if users could remember the answers by getting them to re-answer the questions a couple of months later. This resulted in some questions getting rewritten or dropped. 

Mark

On 15/02/2012 5:29 a.m., Gary Flynn wrote:

We have a home grown system we were going to rewrite and then
found that Oracle's OAAM product had a lot of the features
we specified in the new design proposal in addition to giving
us a way to deploy wide-spread enhanced authentication and
risk based access control options so we're using that. We're early
in the requirements validation and design phase so I don't have
any documents for you.

You can see the original design proposal we were using when
contemplating a rewrite of the current system at:

www.jmu.edu/computing/security/info/accountmgmt.ppt



SCHALIP, MICHAEL wrote:
Are you using a specific product or suite to do this? Or is this all homegrown? Have you put your whole process down on paper yet?.....(something we're struggling with - and anxious to see what others have done....and documented....) 

Thanks,

Michael

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn 
Sent: Tuesday, February 14, 2012 8:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches 

We're currently using question/answer pairs but we're implementing a
new system that can support out of band email and cellphone confirmation if we choose to enable it. Lots of policy and procedure discussions remain 
though.

We've also been talking about various fall-back scenarios when
questions, cellphones, tokens, and other self-service means fail.
In the non-cyber world, we identify people by looking at their faces and 
identity cards.

In the age of the internet and widespread webcams on almost every
device, why not have a person wanting to prove their identity call the
helpdesk while in front of a web cam. The helpdesk would have
access to a database of peoples' pictures. The helpdesk would ask the
individual to hold up their ID in front of the camera. A 'wiggle two
fingers' or similar request could confirm a live image.

The ID couldn't be verified as closely for tampering but I'd think the
process would still be more accurate than question/answer pairs. It
puts some responsibility on the helpdesk staff but they'd be doing
more or less the same thing if the person was at the desk in person.

Thoughts?









--
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: