Assurance

[Lisa Campeau <>]

So, how does this work out for you in actual practice in a university 
setting?  

For instance, a compromise of several dozen faculty members.  Do you send out 
a team to re-silver-credential?  What about a bigger compromise, say several 
hundred?

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Jones, Mark B
Sent: Monday, November 12, 2012 2:28 PM
To: 

Subject: RE: [Assurance] last question

My opinion is that a 'reset' password should be issued with the same 
procedure as the 'initial' password.  This may be the same point Tom was 
making.  

If a password needs to be reset, what you are saying is that the person that 
owns the account is no longer in control of the account.  This is the same 
state as when the account was new and the owner did not yet know the password.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Monday, November 12, 2012 1:21 PM
To: 

Subject: Re: [Assurance] last question



> If a Silver credential is compromised, can or should it be reset using 
> the compromised credential

If a credential is compromised, it needs to be revoked ASAP, that is, it 
should no longer be recognized as a valid authenticator.

> and/ or by answering security questions?

I don't believe the IAP gives guidance in the area of password reset (which 
is what I think you're asking about) so let me give my opinion FWIW. A 
password is only as strong as the password reset mechanism that goes along 
with it. Recent events on the open Internet have clearly demonstrated that 
the Bad Guy, when confronted with a strong authenticator, turns his/her 
attention to the password reset process using social engineering tactics.

Tom