20071207 - SS Password reset in HOKIES-VT AD

Conversation about Hokies self-service password reset

071217

Attending:

Daniel Fisher

Matt Hart

Doug Edmonds

Randall Price

Marc DeBonis

Doug Atwater

JR Fleeman

Ismael Alaoui

Frank Galligan

---

 Agenda:

Overview conversation

Reference current ways to do password resets

Discuss potential options of SS password reset

---

SS password reset = without 3rd party human interaction

costs $15-20/password reset (across pid/hokies/banner/vpn)

(industry avg ~= $40)

technical issues to SS password reset?

Providing alternate credentials to reset another set (Example - CHAP/VPN)

---

[Current password reset\change options]

1 - Call 4help/Call Center

    Q - How exactly do they authenticate you? 

    A - Daniel thinks they pick random questions from registry entries (challenge response?)

    A - Doug says; requires VTID, pick two of these (major, job, name, pid, dob) 

    A - If they don't know VTID, direct to correct place to determine.  How strong are those other places? 

2 - Call IRM

3 - Change via HSS (but not if they don't remember it)

4 - LDAPS/ADSI?

5 - Walk in to 4help? 

Q: Do they require a password change on first logon?

A: I believe they do for AD.  Not sure all programmatic interfaces denote/require this.

Q: Lock after 24 hours if not reset?  (at least PID does this)

A: Don't think AD does 

Q: So resetting principal does know temp password?

A: Yes

 ---

- Most places ask for userid and send a link or remporary password to your email account.  Catch-22 here if we send to your VT mail, and you can't log into it, you're out of luck.

- Some services give a password hint or phrase.  Typically derived from the optional hint/phrase the user entered when account is created, password is changed/reset.  Some people purposely leave this blank or nonsense to avoid doing it.

- Provide user created Q&A pairs, including system generated Q&A pairs (based off information from Banner).

Q: Is it a good thing or bad thing to allow users to pick their own questions?  How do we determine strength of the question and/or answer?

User created question - "Which Super Man movie was the best"?  A - "Superman III"

Pre-defined question - "What was the name of your first pet"?  A - "Otto Von Bizmark"

Banner generated question - "What was the gross salary of your last pay stub?" A - "$29.95"

Relative strength of each set, combination of all three?

Q: How editable should these be made?

Q: How do you enroll people? 

Q: What kind of lockout attempt constraints need to apply to failed attempts?

A: Fall back.  Can we constrain to only allow walk in after this failure?  Whats the cost for that?

Q: What's the current cost for a token reset? 

- Require an alternate email so we can send you the temporary password/the password?

Q: What services/systems across campus send password/temporary password in cleartext email?

A: Illiad?  Listserv management reset?

Q: What higher level assurance products can be utilized to reset medium assurance authentication/authorization credentials?

A: eTokens?

A:  500 now, 6500 in 1+ months scheduled

A: So this would only be a SS password reset for F/S using eTokens

A: Make an eToken optional if you want to avoid answering 6-8 Q&A pairs

- Side questions

Q: Would people bother to use it?

A: Must be easy and quick to use.  But how easy is too easy?  Balance of security vs ease of use.

Q: How would it be implemented?

A: Required?  Optional?  Time phased in.  Paired with mass password reset?

Q: Should this be a central service tied to other credentials like PID, Banner, CHAP/VPN?

Q: If I know my PID\PWD, can I reset my others (i.e., Hokies, Banner, CHAP/VPN)?

A: You can do this now at least with CHAP/VPN.

A: When setting up your Hokies user account, you auth/auth with PID/PWD.  After that, the pwds are necessary the same.