Attendes:

Ismael Medaghri Alaoui 
Susan Brooker-Gross
Marc DeBonis
Mary Dunker
Daniel Fisher
Karen Herrington
Kimberley Homer
Dean Kirstein
Joyce Landreth
Ken McCrery
Pat Rodgers
Kevin Rooney


Absent:
Wayne Donald
Carol Cornish

Discussion:

The Self-Service Password Reset Project Initiation Form was distributed.

Goal: We wish to facilitate remote resetting of passwords in order to reduce users' frustration when they call the Help desk to have their passwords reset. We also hope to reduce the workload and level of frustration experienced by 4Help when they are asked to reset passwords. Any self service reset tool must be at least as secure as the method we have today; i.e., password reset by 4Help. Systems: PID, eToken, Hokies, GAMS - not Oracle. 

 Definition: Password reset means changing the password to an account or ID without knowing the old password. Pasword change means changing an old password to a new password, when the owner of the account or ID knows the old password.

Marc - can we estimate cost/benefits for self-service password reset? Here is a link to a formula for estimating the cost of help desk resetting passwords. What is the risk of not doing this project? 

How can we train users to reset using this tool instead of calling 4Help? Training is probably best done at orientation. Promotional documentation is important. It would take 4 years to train students to use an online tool rather than call 4Help to reset their passwords.

Frank - critical for eTokens because currently, people have to physically appear at Student Telecopmmunications in order to have their eToken passwords reset. We do not currently have a way for a person to reset their eToken password if they cannot physically come to the Blacksburg Student Telecommunications office.
 
Q: What level of security do we have now? Can we improve that?  

Need to continue to leave option open for calling 4Help to either reset or assist in resetting passwords. 

Questions to be answered:

  1. Should a person be allowed to use one set of credentials to reset the password for another? Is the answer different based upon which set of credentials is used for what?
  2. Is the security less if we have a central interface?
  3. Is a central interface good or bad?
  4. If challeng questions are used, who can see them? How are they created/captured? How are they stored? Which systems should utilize them?  
  5. What level of assurance should be used to allow people to create questions/responses? Highest possible level is desired.
  6. If we use challenge questions, how should they be implemented: pre-defined, user-defined, or a combination. 
  7. What percentages of schools are doing this? 

What kinds of online reset methods should we consider, realizaing that one solution is not likely to fit all situations?

  1. Other/graphical recognition
  2. Challeng/response
  3. Signature recognition
  4. Typing recognition
  5. Biometrics. (Ear prints, finger prinst, iris recognition, hand recognition, voice recognition)
  6. Site keys
  7. One-time password reset capability via e-mail (deemed not very secure). Would this work for GAMS?  
  8. Combinations of methods should be examined.

Other thoughts:

Should we undertake a formal assessment of  the risk of each of our credentials?
we should record the credential that is used to reset the password.  
Frank - eToken. E-mail after receiving eToken, could use eToken to enter challenge questions. 
 
Could we allow one higher level credential to use to reset another credential? This would require identifying LOA for each credential. eg., a PDC for  
PID reset?

Does the higher LOA in the credential used to reset a lower LOA password change the LOA of the credential whose password was reset? dg., PID passwords are now created via challenge-response when a person created the PID. Challeng/response questions for PID PWD reset provides the same level of assurance.  

For each credential, we should evaluate options for reset criteria and also cost/benefit of that option. 

 Action items: 

Marc - will ask what other schools are doing.

Dean -- will search for 3rd party software that could do this.  

Joyce -- will calculate cost of help desk password resets. 

Susan - will look at risk associated with compromise of each credential.

Smaller groups will identify options/methods for reseeting passwords for the accounts/identifiers below. State pros and cons of each option
1) PID resets - Pat, Kim, Joyce 
2) Hokies  --  Marc  
3) eToken - Frank, Pat 
4) GAMS - Kevin, Karen 

  • No labels