Re: Question About Password Resets

[David Curry <david.curry () NEWSCHOOL EDU>]

We require everyone to provide their university identification number,
their username, and their date of birth. If the person is (or ever has
been) an employee, we also require the last four digits of their SSN/ITIN.

If the individual does not know his or her username he or she can look it
up by providing identification number and last name.

If the individual does not know his or her identification number, the
various departments (Human Resources, Student Services, Alumni) have each
defined a process for giving it out over the phone. Generally, the caller
has to provide three or four pieces of information correctly. If the staff
member taking the call is suspicious, we require the person to visit the
office in person.

The security of this process is not perfect by any means, but it has worked
well in practice, and we have not had any significant issues.

--Dave



--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Thu, May 16, 2013 at 12:12 PM, Roger A Safian
<r-safian () northwestern edu>wrote:

> ****
>
> We have security questions and answers set when the accounts are created.
> I’m not a fan of them myself, but, I recognize their usefulness in
> situations like this.  If those fail, the user would need to contact a
> department chair, program coordinator, etc. and have that person contact
> our help desk in order to authorize the change.****
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Jim Pardonek
> *Sent:* Thursday, May 16, 2013 11:00 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Question About Password Resets****
>
> ** **
>
> We've recently had some issues with our current password reset process,
> particularly when a faculty or staff member is out of town and calls for a
> password reset.  We also have an issue because our campuses are spread out
> geographically which makes it difficult for someone to come in person.  I
> apologize if this has been discussed before, but I was wondering what other
> institutions are doing regarding password resets via telephone?  Or do you
> do something else.  I am looking to make a recommendation to "re-tool" our
> password reset policy and process so any input would be most welcome.****
>
>  ****
>
> Thanks,****
>
>  ****
>
> Jim****
>
>  ****
>
>  ****
>
> *James Pardonek, CISSP, CEH*****
>
> *Information Security Officer**
> Loyola University Chicago
> 1032 W. Sheridan Road | Chicago, IL  60660
> **
> (**: (773) 508-6086*****