Educause Security Discussion mailing list archives
Re: Password reset options for single sign-on
From: "Hunt,Keith A" <keith () UAKRON EDU>
Date: Tue, 24 Oct 2006 17:21:49 -0400
Hi all, We're migrating to a single-sign on for our web portal and mail, and are considering the issue of how to securely have a reset password function. Users frequently need to reset their passwords because they have forgotten them. The current Novell eDirectory system we are using allows us to ask reset questions like "What is your mother's maiden name?", but we are concerned about the security risks involved here, especially since the single sign-on will allow students access to both their email and a lot of personal information. Some of the alternative options we are considering are: - Asking a series of questions instead of just one. - Forcing users to choose a secret PIN to be used for password resets. - Asking users for other information such as the last few digits of their SSN (this will be technically difficult and not all students have a SSN). - Sending password reset instructions to a seconday email address or by SMS to cell phones (difficult because not all students have another email address or cell phone number) I'd be very interested in knowing how other institutions are dealing with this issue. Thanks very much, Boaz Gelbord Manager of Information Security The New School 55 West 13th Street NYC 10011 www.newschool.edu
In a nutshell, this is how we do it: User must set up the challenge questions and answers in advance. Must choose and answer six questions from our list and optionally one of her own. (It's a bit of a tricky thing to provide questions that you expect the user to remember without making them easily guessed.) To use the system the user must provide network ID, first name, last name and either SSN or university ID number. A session ID is created and used to limit the entire process to 15 minutes. Three of the user's questions are selected at random. Each must be answered correctly, one question at a time. An incorrect answer locks the user out for 15 minutes. Three failed attempts locks the user out for good and he must then contact the help desk for further assistance. Notices of successful and unsuccessful attempts are sent to the user's email address. -- Keith Hunt 330.972.7968 keith () uakron edu Internet & Server Systems The University of Akron
Current thread:
- Password reset options for single sign-on Boaz Gelbord (Oct 24)
- <Possible follow-ups>
- Re: Password reset options for single sign-on Hunt,Keith A (Oct 24)