Attendees

Mary Dunker
Greg Kroll
Randy Marchany
Karen Herrington
Joyce Landreth
Nate Smith

Agenda

  1. Where we started – Mary will give a quick overview of how/when/why this project began, including a message from Erv
  2. Where we are now
  3. Where we go from here
  4. Regularly scheduled meetings?

Meeting Notes

  1. Where we started – Mary will give a quick overview of how/when/why this project began, including a message from Erv
    1. The VT Board Of Visitors (BOV) told Erv they were concerned that we did not have to change PID passwords on a regular basis.
    2. Also, old PID passwords imported from our old LDAP system (predecessor to the Enterprise Directory) have no requirement to conform to the ED hardened password rules.
    3. Erv asked Mary what she thought of just expiring everyone's password and make them change it. Mary told him this would be a maintenance and support nightmare.
    4. Mary's suggestion to Erv was to start a project for a self-service password reset system. Erv is in favor of this and considers it important.
    5. As discussions ensued the Information Technology Security Office (ITSO) cautioned about password entropy (strength) when using secret questions.
    6. Kevin Rooney investigated and reported on One Time Password (OTP) via SMS (see: 20100309 - Sponsor Summary March 9, 2010). Rich Sparrow did a cost comparison analysis using the VASCO system.
  2. Where we are now
    1. Sponsors for this project are 4Help and IMS.
    2. A new development and consideration is the Soft PDC Project.
    3. Randy commented that if we were to expire everyone's password by a certain date (or dates) that probably 95% of our user population would be able to successfully reset their own password because they know their current password. The other 5% would need 4Help, thus creating a support issue.
      1. IMS could generate statistics on the age of current passwords which would tell us who has not changed their password in years.
    4. Karen commented that we could announce a mandatory password change and see how many users change theirs voluntarily. Then we could determine how many active users were left.
    5. IMS is finishing an audit.
      1. IMS expects a comment about current password resets not being secure because 4Help knows the temporary password.
      2. IA wants a "password lifetime". (The amount a time a password lives or is good for before expiring.)
  3. Where we go from here
    1. Our current options include:
      1. User must enter their VT ID number plus one of the below:
        1. using the eToken (for faculty and staff only).
        2. secret questions
        3. one time password (OTP) sent by Short Message Service (SMS) to a cell phone
        4. one time password (OTP) sent to a third-party e-mail (would be required if we want to send a notice of a password reset which could not be sent to a users VT e-mail)
        5. in the future Soft PDC's
        6. some combination of the above
    2. This team does not recommend use of secret questions alone because the security is not good enough. However, secret questions combined with a one time password provides a higher level of assurance.
    3. The cheapest solution is to use OTP to a third party e-mail. However there was some discussion about sending the OTP using e-mail to a cell phone, e.g., by addressing it to cellphonenumber@vtext.com for Verizon customers.
    4. There was some discussion about using eTokens as another way to change the PID password. Even with the current limited population of users (primarily IT) this is considered "low hanging fruit" for this project. However, the majority of 4Help calls are not from users with eTokens and it is the opinion of this team that we need a more global solution and time spent on developing a process for eToken use is time taken away from that global solution. This option is tabled for now.
    5. How to structure this project?
      1. A first cut is to structure it similarly to the Soft PDC project:
        1. Policy team
        2. Technical design and development team
        3. Communications, documentation, and training team
    6. Action item: Greg & Mary will discuss appropriate members for each team.
    7. Action item: Greg will schedule a meeting of the Policy team to include this team + Susan Brooker-Gross for after May 12th (IMS closing meeting with IA).
    8. Action item: Greg will talk with Kevin Rooney about leading the technical team.
    9. We have a somewhat hard deadline of March-April 2011 when new incoming freshman create their PID.