Educause Security Discussion mailing list archives
Re: Self Service Password Reset
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 6 Jul 2012 08:57:21 -0400
Shawn, In our plans for a Fall go-live, the mechanisms people are allowed to use to reset a password are based on the risks associated with their accounts. The current working model is to assign a risk score between 1 and 50 to an account or role. We're actually only using 10,20,...50 but we wanted the extra space to allow for more granularity in the future. Authentication options for password reset include: -secret question/answer (KBA) -third party email OTP -cellphone OTP Future options providing more possible choices: - 2-factor tokens - Certificates - some of the fallback methods we're contemplating for the primary KBA/Email/Cell recovery: - webcam - supervisor vouch Ways account risk may affect the reset process: -The type of required authentication may vary with the risk associated with the account. -The number of required authenticators may vary with the risk associated with the account. -Required authenticators may vary depending on whether a person is on or off campus. -Required authenticators may vary depending upon whether the device being used has been used by the person in the past. Accounts associated with the highest risks, for example IT accounts with high privileges across a range of systems, would not be able to perform a reset from off-campus at all. Secret questions are poor passwords subject to social engineering attacks as we've all seen in the news. A password protecting personal third party email, which may be tied to youtube, maps, facebook, and who knows what else, used from who knows what type of computing devices and stored/cached on them, isn't particularly trustworthy. Cellphones provide a little more security. But for the handful of people who could compromise an entire IT infrastructure, I believe that the convenience to an individual of password reset is overridden by potential losses to the organization and its constituents should such an account become compromised. Shawn Kohrman wrote:
For those of you who have self service password reset tools, do you maintain a list of users who are excluded from using the tool? If so, how did you go about establishing your criteria? Shawn ----- Shawn A. Kohrman, Security Architect Azusa Pacific University Information & Media Technology 901 E. Alosta Ave., PO Box 7000 Azusa, CA 91702-7000 P: 626.815.2054 | F: 626.815.2061 | http://www.apu.edu/ -----
-- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Self Service Password Reset Shawn Kohrman (Jul 03)
- Re: Self Service Password Reset Schumacher, Adam J. (Jul 05)
- Re: Self Service Password Reset Shawn Kohrman (Jul 05)
- Re: Self Service Password Reset Schumacher, Adam J. (Jul 05)
- Re: Self Service Password Reset Gallese, Brady T. (Jul 05)
- Re: Self Service Password Reset Witmer, Robert (Jul 06)
- Re: Self Service Password Reset Shawn Kohrman (Jul 05)
- Re: Self Service Password Reset Gary Flynn (Jul 06)
- Message not available
- Re: Self Service Password Reset Dexter Caldwell (Jul 06)
- Re: Self Service Password Reset Schumacher, Adam J. (Jul 05)