Attendees:

  • Kevin Rooney
  • Greg Kroll
  • Randy Marchany
  • Brad Tilley
  • Susan Brooker-Gross
  • Rhonda Randel
  • Kim Homer
  • Dean Kirstein
  • Karen Herrington
  • Ken McCrery
  • Marc DeBonis
  • Mary Dunker

Requirements discussion:

Marc: We already have a process in place that manages Q/A pairs -- PIDGen. Since we allow peoople with PIds to create Hokies IDs, we could utilize the same web service for PIDs and Hokies both. Could we use the same challenge/response web service and affiliations to determine question set? Could we use the same application infrastructure web service.  Interface would show allowing resetting PID & Hokies using the web service. MIG could communicate with the existing web service. PIDGen uses Spring technology. Question: Could/should we use the same technology; i.e., web service that is currently used by PIDGen? Answer from all:**YES

Daniel: should we require a person to set up 3rd party e-mail before setting up Q/A? Advantage is another piece of information. Disadvantage is that some poeple do not have external e-mail accounts, and we have encouraged people to use VT e-mail. Discussion revealed that using a 3rd party e-mail during password reset process is very common in industry. In the vT environment, it might add some amount of functionality/security, but could be outweighed by the political task of requiring users to obtain and maintain a 3rd party e-mail address. Vote: requrement YES 0, option 2. Can be revisited in the future.

Brad: Should VT ID number be required? ID numbers are sequential so this does not offer any security. Kevin: We just ask that to say you must be this tall to play. 

Marc proposal: Use existing questions that are used today to allow a person to create their PID. Susan: When a person is first establishing their identity, the information in the questions used for PIDGen is less well-known than after a person has created the PID. Too many people have access to this data.  Vote: Should we use the existing Banner data alone for challenge/response? Vote: 4 YES.  Fastest, cheapest, easiest way to roll this out.

Should we require challenge/response Q that are different from those used for PIDGen today? Vote: 5 YES

Should we offer challenge/response as an option for users in addition to using Banner questions? 4 YES

Randy: Let people create their own questions. 


 

  • No labels

2 Comments

  1. Marc DeBonis

    Aug 14, 2008

    Article I saw on Slashdot today that is appropriate to the discussion: http://www.itworld.com/tech-society/54193/beware-meta-password-reuse

    >
    > http://it.slashdot.org/it/08/08/13/2241242.shtml
    >
    > Do you use the same password all over the place? Yes, you
    > probably do - whether you know it or not.
    >
    > The fact is, while some people still casually use the same
    > password for many sites, almost all of us reuse what we may
    > think of as "meta passwords" - the information used to reset
    > passwords. That, I argue, is worse than reusing passwords -
    > but harder to avoid!

  2. Mary Dunker

    Aug 15, 2008

    Regarding the "votes" during the meeting...

    Votes on policy-type issues, such as what data is used for Q/A pairs should be taken as recommendations, as this may not be the appropriate group of people to make policy decisions.

    Votes on technical issues can probably be incorporated into requirements providing the correct technical people were in the voting meeting.