Educause Security Discussion mailing list archives
Re: Distributing initial credential
From: Scott Stoops <sstoops () ASHLAND EDU>
Date: Wed, 10 Apr 2019 16:10:35 -0400
We are not taking on a full blown IAM initiative at this time. At present we are using a home grown process. We do have an SSPR (not Microsoft) and do not use MFA at present. We have moved to a process that creates all user accounts (student, faculty, staff) with a random password that gets set during account creation. We keep no record of this password and do not attempt to communicate this. The username is communicated either through the admissions process for students or through HR for faculty and staff. We populate our SSPR with an alternate email address that the person has access to. They are then required to finish setting up their account by going to the SSPR and essentially resetting their password using the alternate email we have on file for them. (They cannot change this email through the SSPR tool.) In doing things this way we are not communicating a default password or anything to indicate what that password might be. Since the password is set during account creation and not stored no one, including the folks in IT, know what that password is. This also gives us the opportunity to get people enrolled in the tool properly so that they can use other mechanisms for resetting passwords in the future. -------------------------------------------------------------------------------------------------- Scott Stoops, CISSP Security Analyst II Office of Information Technology | 100 Patterson Technology Center Ashland, OH 44805 (w) 419-289-5405 sstoops () ashland edu On Wed, Apr 10, 2019 at 3:10 PM Colin Abbott <colin.abbott () mcgill ca> wrote:
Hello, We are undertaking an IAM initiative and part of the project is to replace our current legacy process for provissioning active directory accounts with a more secure process. I have been asked to poll the audience and see what mechanism other universities are using for distributing the initial credential especially if anyone is combining this process with setting up SSPR (Microsoft self-service password reset) and MFA? Thanks Colin Abbott, CISSP, CCSP | IT Security Architect | McGill University | Network and Communication Services | 514-398-5070
Current thread:
- Distributing initial credential Colin Abbott (Apr 10)
- Re: Distributing initial credential Scott Stoops (Apr 10)