Re: Password Management Policy & Standards

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

> What happens when they cannot stand in front of you? When a professor is
in
> Tibet on a semester long study and needs their password reset and they
don't
> have their US cell number (true story)?
[Mark] Have them set the password recovery info when their accounts are
activated or update the info while they know their password and can prove
who they are by authenticating.  Then when in Tibet they need only control
one of the alternate forms of communication that you have on record for
them.

 Or an incoming freshman calls from
> China before school starts ?
[Mark] Collect the alternate contact info as part of the
application/acceptance process.

> Thomas Carter
> Network & Operations Manager
> Austin College
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Mark B
> Sent: Friday, February 26, 2016 2:11 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Management Policy & Standards
>
> I'm not a fan of security questions under any circumstances.
>
> But I think this is all much more simple than people try to make it.
>
> Refer to the 'remote' column of "Table 3 - Identity Proofing Requirements
by
> Assurance Level" in NIST SP 800-63
> (https://urldefense.proofpoint.com/v2/url?u=http-
3A__nvlpubs.nist.gov_nistpubs_SpecialPublications_NIST.SP.800-2D63-2D2.pdf-
> 29-
> 3A&d=BQIFAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgM
> u8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM&m=CHu_qUaaUu4tEieisl0wx
> 1OQti8C6qPtOjKkd3f_SvY&s=D__Wc6ElajWxVFFPudtp1377qr8N61TbNKTEgFGa
> uoI&e=
> Issue "credentials in a manner that confirms the ability of the Applicant
to
> receive telephone communications or text message at phone number or e-mail
> address associated with the Applicant in records."
>
> Collect a personal phone number and/or email address when the person is
> standing in front of you (or some other appropriate, trusted time), then
call it
> or send it a one-time secret that allows the user to reset their password.
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter
> > Sent: Friday, February 26, 2016 1:34 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Password Management Policy & Standards
> >
> > I hope this isn't off topic, but how does password self-service work
> > with
> these
> > policies and standards? With the proliferation of social media, it's
> > very
> difficult
> > to come up with truly secure security questions. For an alternate
> > email
> the
> > ownership of that off-campus address is unverifiable.
> >
> > There is also the question of requests to the help desk for password
> resets. In
> > person we ask for identification, but over-the-phone resets have the
> > same "secure question" issue that the self-service reset has. Asking
> > for DOB or address is way too easy to impersonate. How are you
> > verifying account ownership?
> >
> > These are some of the practical matters with passwords we are
> > struggling
> with.
> > A super secure password with good policies are no help if a little
> > social engineering can get account access the "proper" way.
> >
> > Thomas Carter
> > Network & Operations Manager
> > Austin College

Attachment: smime.p7s
Description: