Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question About Password Resets

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 16 May 2013 13:43:48 -0400
On Thu, 16 May 2013 11:00:00 -0500, Jim Pardonek said:

apologize if this has been discussed before, but I was wondering what
other institutions are doing regarding password resets via telephone?  Or
do you do something else.


No matter what you end up doing, remember to leave a flag for "this account
may not be reset by phone/self-serve/whatever", so you can flag high-value
or high-risk accounts as "tough noogies, they have to come in with official ID".

And remember - it doesn't have to be a high-priv account.  I've heard of
plenty of incidents of stalkers and ex-SO's social engineering their way
through a self-serve password reset for their target.

Another option is using a cell phone as a cheap 2-factor auth system - the user
pre-registers the phone number for password recovery, and uses a passcode sent
via SMS to the number to complete the reset procedure.

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: