1. Types of eToken Passwords - eTokens have two types of passwords, an administrator password and a user password. The administrator password is used to reset the user password and can be used to reformat the eToken. The user password can be used to change the current user password, access private key functions , and can be used to reformat the eToken.
2. Creation of eToken Passwords - eToken user passwords are created by the user during the PDC(Personal Digital Certificate) enrollment process when the PDC is issued to the user on the eToken. Unique eToken administrator passwords are randomly generated by TAS(Token Administration System) and assigned to each eToken during the enrollment process. The administrator passwords are encrypted and stored in the TAS database and can only be decrypted by TAS operators authorized to reset eToken user passwords or recycle(reformat) eTokens.
3. eToken User Password Composition Requirements - Password must be at least 8 characters long; Password must contain at least THREE of these FOUR types of characters:
- Numbers: 0-9
- Uppercase English Letters A-Z
- Lowercase English Letters a-z
- Special Characters except for right brace, right bracket and equal sign
4. eToken Password Changes - Users can change their current password at anytime by using the Aladdin RTE eProperties Tool or a browser like FireFox, Netscape, or Sea Monkey which support eToken user password changes. The user must have knowledge of the current eToken user password in order to successfully change the password.
5. eToken Password Blocking Thresholds - eTokens have password blocking thresholds defined for both user and administrator passwords. After 10 invalid consecutive user passwords (15 for administrator passwords) the eToken will automatically become blocked. A blocked eToken prevents any further attempts to login to the eToken and renders the eToken temporarily unusable until it has been reset. If both user and administrator PINs have reached their blocking threshold, the token becomes unusable and is toast! If the user password has reached the blocking threshold, then the eToken administrator can login to the eToken using the administrator password and reset the user password. At any time a correct user or administrator password has been entered or a password has been reset, the corresponding invalid password counter for the password is automatically reset to zero.
6. Current Procedure for Resetting eToken User Password - In order to get an eToken user password reset, the owner of the eToken must take their eToken in person to the Student Telecommunications Office located at 120 Student Services building on the Blacksburg campus and create a new eToken password for their eToken. They must show their Hokie Passport card and provide one other government-issued photo identification. Examples include drivers' licenses, passports, military ID cards.
1. Pros
2. Cons
3. How would the user self service eToken password reset work?
In order to use the self service eToken password reset application, the user must have previously created their high assurance personal identity profile. Any user who has been issued an eToken can at any time use a self service web application to register their personal authentication credentials to create their identity profile. In order to register their authentication credentials, a user must authenticate using their eToken/PDC when logging in to the registration web application. No identity credential other that eToken/PDC which provides strong two factor authentication and a high assurance credential (because enrollment for the PDC required face to face registration and presentation of at least two picture ids) in the form of a PDC can be used when authenticating to the registration web application (client SSL). Users can be notified of the self registration service in the email which is automatically sent to all users who enroll for a eToken/PDC. In addition, links to the service can be made available on the PDC website and advertised via bulk emailing, newsletters or other means.
The self service registration web application will allow the user to register their personal authentication credentials in the form of questions and answers that only they are knowledgeable enough to answer correctly. Users will be given an opportunity to choose from a list of predefined questions as well as the ability to enter their own questions and answers to create their personal authentication profile. All answer (responses) to questions will be stored as hash values to enhance privacy. In addition to the initial selection of their personal profile question/answers, users can at any time use the self registration web application to make changes to their profile and select new questions/answers.
Users who need to get their eToken password reset and have previously created their personal identity profile can use the self service eToken password reset by authenticating to the web application using their PID/password. After successfully authenticating with PID password, questions (# of question can be decided later) are randomly selected from the user's personal identity profile and presented to the user for a response. Hash values are created from these responses and compared to those stored in the users identity profile. If incorrect responses are detected the web application can enforce blocking after a predefined threshold of invalid responses has been received. If the responses are successful, the web application proceeds to allow the user to create a new password for their eToken. Users who are blocked because of incorrect responses must go to the StuTel office to have their eToken password reset. Resetting the eToken password automatically resets the self-service blocking counter to zero.
Definition:
High assurance personal identity profile - In this context it is a set of pre-defined and user defined questions along with answers that only the user is knowledgeable to answer correctly. The user creates/updates their high assurance personal identity profile using a self-service web application which requires that the user authenticate using their eToken/PDC.
Additional layers of authentication - In additon to requiring the user needing a eToken passsword reset to authenitcate using PID/pasword and repsonding to questions from their identity profile, it would be easy to add an additional layer of authenitcation by requiing the user to enter a random one-time, which they would receive via their VT email account. In addtion to being random and one-time use password, a valididty period could be associated with the password so that it could only be used for a predefined duration (or example one hour).