-+- 

From: Gary Flynn flynngn@jmu.edu 

> I've been asked to research what if\how other universities do password resets for their customers (F/S/Stu).

> Do you allow users to reset their own passwords based on other credential factors?

Yes.

> Does your help desk take all the calls?

No. There is a self service web page.

> If you allow self-reset, how? Challenge/response Q&A? Pre-computed questions? Allow the user to pick their own?

User can set password through knowledge of last four digits of SSN, birthdate, and the answer to a "secret question" of their own choosing.

I would not recommend the latter because people pick public information or information in a small set of possibilities often enough to cause problems.

We're moving to a system based on Oracle IdM functionality which should improve the authentication process once finished.

> For multiple system with multiple credentials does proper auth/auth to one of these systems allow the resetting of credentials for another system? If so, how is that tiered, but assurance level?

Most of our systems authenticate user credentials against LDAP and AD servers that have their passwords synchronized by the password change process. The few systems that don't participate in that environment are not used very much and require a separate process.

We're moving to Oracle's OAM product for web applications which will allow us to vary authentication strengh depending upon various factors such as system, URL, source IP, claimed identity, and time of day.

> Anyone have typical costs for a password reset in your environment? What are the factors involved in the cost estimate?

>

> Any questions I'm not asking, but should be?

>

> Thanks!

>

> - M 
-+-

From: tina.meier@okstate.edu tate University has a self-serve identity management system.
I presented this topic at the HiEd Forum last summer.

Yes we allow users to reset their own passwords based on other credential factors.

Yes, our helpdesk does help people walk through the process. They do not reset the password for them.

Yes we have a challenge/response system with a preset list of questions.

Yes, we have an administrative interface that flips a flag to allow the person to walk through the entire process to reset. We highly discourage our own department from resetting passwords.

If you have other questions, let me know.

(Presentatipn link @ http://windows-hied.org/Conf2006/OSU_SelfProvisioning.ppt)

Thanks

Tina 
-+- 

-From: drews@engr.wisc.edu
I'll answer twice.

For the central campus, people can call the helpdesk (or stop in) to get
it reset. There is also a web reset page. When you set up your account,
you are required to fill in the answer to 3 pre-computed questions.
There are about 20 pre-computed questions and you must pick and answer
at least 3.  When you go to the web reset page, you have to enter your
campus id number and date of birth. The system then picks 3 of the
questions you set an answer for and you have to answer those. If that
passes, you can reset your password.

For our area (College of Engineering), we let people reset their
password by visiting the helpdesk with your photo ID, or via the web.
For our web reset, we have the user first authenticate to the central
campus system (pubcookie), and if that passes, we let them reset their
Engineering account password (the login name they used to authenticate
to pubcookie must match what we have on file for them before the reset
is accepted).  This way we let the central campus do the "hard" part
(making sure who they say they are is really who they are).

-James

-+-

From: Sweeny, Jonny [jsweeny@iu.edu]

-Marc,
This describes our system:

If I forget or have problems with my IU passphrase, what can I do?-
https://kb.iu.edu/data/baak.html

-+\

+ 
From: peter.eden@utoronto.ca 
 (Answers preffixed with []s inline to my questions)
 
I've been asked to research what if\how other universities do password
resets for their customers (F/S/Stu). Do you allow users to reset their own
passwords based on other credential factors?
[] Yes but only for students.

Does your help desk take all the calls?
[] Yes - from students, faculty and staff.

If you allow self-reset, how? Challenge/response Q&A? Pre-computed
questions? Allow the user to pick their own?
[] 20 pre-computed questions from their student record.

For multiple system with multiple credentials does proper auth/auth to one
of these systems allow the resetting of credentials for another system? If
so, how is that tiered, but assurance level?
[] We do have some synchronization of credentials. This can take anywhere
from 15 minutes to up-to 24 hours. We advise people that the new password
may not take effect until then next day.

Anyone have typical costs for a password reset in your environment? What
are the factors involved in the cost estimate?
[] Our total number of tickets in 2006 was 36,000 and we had 7,960 password
resets. That's approx 22% of total help desk tickets. Apparently this works
out to less than $15 per reset request.

Any questions I'm not asking, but should be?
[] For staff and faculty - Currently we are working to assign the password
reset task to that dept's local IT admin. The Challenge is to create/assign
the faculty staff list for each IT admin. -+-

From: Dan.Schwartz@Lehigh.EDU

Hi Marc,

We have an IDM system that synchronizes account credentials across
multiple systems and also allows our users to reset based on 3 security
questions that are self created when the account is activated.  These
can of course be changed at anytime.  We provide some example questions
to guide them in selecting non-obvious questions.

We also do manual resets from our security office, with a photo id.

Our help desk will assist in talking a person through self-reset based
on their security questions or refer the user to accounts manager in the
security office for a manual reset.

We haven't been charging for assistance with reseting passwords, so the
users don't see any of our costs.  I have some stats on how many people
use their security questions per day, but haven't complied it into a
report or anything.

We force password changes every 180 days using an e-mail reminder
system, with the exception of the summer months when most students and
faculty are not on campus (so they automatically get a few extra months
until the fall semester begins).

I've spent a lot of time working and building the system we currently
have, so I could go on for hours boring you with the details.

Dan Schwartz, LTS - Systems and Networking
Lehigh University, Bethlehem, PA

-+-

From: casey@mail.ucf.edu
Do you allow users to reset their own passwords based on other credential factors?
-Absolutely, in fact we have had over 24K of them for this semester alone.

Does your help desk take all the calls?

  • Students, Faculty and staff have the option to call the help desk to have their password reset but it is not required

If you allow self-reset, how?

  • There are currently two methods: one method is to use the self-services password reset page or they may call the help desk to have the password reset.

Challenge/response Q&A? Pre-computed questions? Allow the user to pick their own?

  • As a person becomes part of our university they are issued two additional key pieces of information: personal id (PID) and a university card (which has "cash" on the chip). In our password reset page, you must enter your PID, Card Number (12 numbers in total), last 4 of social security number and your birthday.

For multiple system with multiple credentials does proper auth/auth to one of these systems allow the resetting of credentials for another system? If so, how is that tiered, but assurance level?

  • We have several systems at our university which are "disconnected" from our central core AD infrastructure. However, each system across our university uses the same "ID" to login but may have a different password. Our approach is either the system will be switched to AD for authentication or our password reset page will reach out and reset the system. We have successfully created the password reset page to do AD, LDAP, WebCT and Web Vista.

Anyone have typical costs for a password reset in your environment? What are the factors involved in the cost estimate?

  • Hum. This is a loaded question of which I don't think you will find the right answer because trying to answer this question will certainly depend on your environment and the decisions you make designing a password reset page. Typical costs usually vary with "canned" vendor products but center most of their costs around your total users. We chose to do our own password reset too because we wanted the flexibility of changing our password requirements, developing for other systems and most of all because doing password resets is fairly simple.

For us the process is still ongoing only due to the fact that we are expanding our password reset page to cross multiple systems and vendors applications.

If I were to completely estimate (aggressively) the time and the groups involved in making our utility a success it would be this:

1 - .NET developer 6 weeks ( programmed the password reset page to do AD, LDAP, interface with WebVista and WebCT)
1 - PeopleSoft engineer 3 days ( built the web services for our developer to interact with to verify the password challenges mentioned above)
1 - WebCT engineer 3 days ( modified existing password reset page to allow our .NET developer to reset passwords with the central password utility)
1 - WebVista engineer 3 days ( modified existing code to allow our .NET developer to reset this system too)
1 - Identity Manager 5 weeks ( make decisions and design the system from a conceptual level)
1 - Beta users 4 weeks ( test the system and make recommendations

Any questions I'm not asking, but should be?

  • Overall you will need to think of how you want your system to work and make a decision based on your environment. If you decide to develop the utility "in-house" then you will have about 50 more questions to answer.

Hope this helps a little
-Casey

+

  • No labels