Educause Security Discussion mailing list archives

Re: Self Service Password Reset

From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 6 Jul 2012 08:57:21 -0400

Shawn,

In our plans for a Fall go-live, the mechanisms
people are allowed to use to reset a password
are based on the risks associated with their
accounts.

The current working model is to assign a risk
score between 1 and 50 to an account or role.
We're actually only using 10,20,...50 but we
wanted the extra space to allow for more
granularity in the future.

Authentication options for password reset include:

-secret question/answer (KBA)
-third party email OTP
-cellphone OTP

Future options providing more possible choices:
- 2-factor tokens
- Certificates
- some of the fallback methods we're contemplating
  for the primary KBA/Email/Cell recovery:
  - webcam
  - supervisor vouch

Ways account risk may affect the reset process:

-The type of required authentication may vary with the
 risk associated with the account.
-The number of required authenticators may vary with
 the risk associated with the account.
-Required authenticators may vary depending on whether
 a person is on or off campus.
-Required authenticators may vary depending upon whether
 the device being used has been used by the person
 in the past.

Accounts associated with the highest risks, for example
IT accounts with high privileges across a range of
systems, would not be able to perform a reset from
off-campus at all. Secret questions are poor passwords
subject to social engineering attacks as we've all seen
in the news. A password protecting personal third party
email, which may be tied to youtube, maps, facebook, and
who knows what else, used from who knows what type of
computing devices and stored/cached on them, isn't
particularly trustworthy. Cellphones provide a little
more security. But for the handful of people who could
compromise an entire IT infrastructure, I believe that
the convenience to an individual of password reset is
overridden by potential losses to the organization and
its constituents should such an account become compromised.





Shawn Kohrman wrote:

For those of you who have self service password reset tools, do you
maintain a list of users who are excluded from using the tool?  If so, how
did you go about establishing your criteria?

Shawn
-----
Shawn A. Kohrman, Security Architect

Azusa Pacific University
Information & Media Technology
901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
-----



--
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Self Service Password Reset Shawn Kohrman (Jul 03)
- Re: Self Service Password Reset Schumacher, Adam J. (Jul 05)
  - Re: Self Service Password Reset Shawn Kohrman (Jul 05)
    - Re: Self Service Password Reset Schumacher, Adam J. (Jul 05)
    - Re: Self Service Password Reset Gallese, Brady T. (Jul 05)
  - Re: Self Service Password Reset Witmer, Robert (Jul 06)
- Re: Self Service Password Reset Gary Flynn (Jul 06)
- Message not available
  - Re: Self Service Password Reset Dexter Caldwell (Jul 06)