Meeting to discuss SS PWS Project with sponsors, ITSO and project Lead

Mary 27, 2009
Attendees:

  • Wayne Donald
  • Karen Herrington
  • Joyce Landreth
  • Mary Dunker

We met to discuss the self-service password reset project. We would like to put the Thursday meetings on hold while the 4 of us do some more research. We will investigate what other schools are doing and how such a service can be made very secure. Assignments:

Wayne - investigate what other schools are doing

Joyce - gather statistics on the affiliations of people who request password resets (faculty, staff, student, alum)

Karen - Learn about using cell phones as one-time-password devices

Mary - investigate keystroke biometric techniques

The 4 of us will reconvene in late June, so larger meetings, if any, should be suspended until July, 2009.

  • No labels

3 Comments

  1. Mary Dunker

    May 28, 2009

    Results from Joyce and Dean on affiliations for password reset customers:

    6/1/2008 - 5/28/2009

    From Call Center queue

    Password reset tickets total - 5531

    Staff - 1520

    Student - 572

    Faculty - 261

    Retired - 75

    NONE - 3103

    Note that affiliations come from Altas, and are not likely to be correct. 'NONE" may represent alumni.

  2. Mary Dunker

    Jun 04, 2009

    Information on keystroke biometrics from Bruce Schneier's blog http://www.schneier.com/blog/archives/2007/04/keystroke_biome.html. I will try to find a demo of BioPass, as comments from the vendor imply it might not require a client.

    I would not recommend a keystroke biometric for standard authentication to a highly used service, primarily because of false negative rates. But the concept might be useful in conjunction with other authentication methods. False negative rate might be acceptable for self-service password resets. I would like to find a way to try it out. The demo page for BioPass from Schneier's blog is inoperable. I will see if another page exists. This product is not open source, so cost might be prohibitive, even if we like the solution.  

    Companies offering keystroke biometric password solutions:

    http://www.imagicsoftware.com

    http://www.biochek.com

    Keystroke dynamics from http://www.admitonesecurity.com

    Authentest from http://www.authenware.com

  3. Mary Dunker

    Jun 26, 2009

    Might we consider using question/answer pairs COMBINED with the one-time password sent to a cell phone. This would provide multi-factor authentication for the reset application.