August 27, 2008, 11:00am
Continuation of requirements gathering
Attendees:
- Mary Dunker
- Susan Brooker-Gross
- Daniel Fisher
- Marc DeBonis
- Brad Tilley
- Kevin Rooney
- Greg Kroll
- Kim Homer
- Rhonda Randel
- Karen Herrington
- Ken McCrery
-
What are entry points that are possible for creatingn pairs/generating secret question?
Assuming people are required to create pairs for self-service, what are possible entry points? When to force vs. offer opportunity?
- PIDGen offers an opportunity to force - makes sense to force here
- password change is an opportunity to force - makes sense to force change here if the call center has reset their password
- Voluntary PWD change upon authenticating with eToken -- would allow a person to set Q/A.
- password change (voluntarily) without Call Center? might be a bad idea. Could be a security hole. But might be a good opportunity tin the future.
- Stand-alone offers non-forced opportunity -- should allow this to be used if eToken is used for authentication.
- My VT offers oppportunity to force people to create Q/A - not until new My VT is up
- PID reprovisioning process offers opportunity to force
- Hokies self-service could offer opportunity to force
- CAS authentication offers opportunity to force
- Entering leave could offer opportunity to force. Could CASsify leave report
- Hokie SPA?
Brad: If I am voluntarily changing my pwd and I have a secret question, I should be required to answer secret Q when I change my question.
Should CAS be modified to ask secret Q as well as PWD for authentication?
Proposal:
Initially, require secret questions to be created during PIDGen and re-PIDGen and password change after Call Center reset.
For voluntary PWD changes, allow people to create Q, but during initial implementation, do not force them to do it at that time.
eToken nis just another option for authenticating to the application.
Next time: What information is in Banner that could be used for this? What other questions might be generated?