assurance - RE: [Assurance] last question
Subject: Assurance
List archive
- From: "Farmer, Jacob" <>
- To: "" <>
- Subject: RE: [Assurance] last question
- Date: Mon, 12 Nov 2012 20:25:13 +0000
- Accept-language: en-US
Lisa,
I think that is something that you have to consider if you are going to
assert Silver for a large number of users.
We plan to do two things to mitigate the scenario you're discussing:
1) We are only going to offer Silver where absolutely necessary. Hopefully
our total Silver user base will only be a few hundred.
2) We are going to leverage two-factor authentication. It helps defend
against a large-scale attack such as phishing, plus it just makes Silver
easier to do assuming you have the infrastructure.
Jacob
-----Original Message-----
From:
[mailto:]
On Behalf Of Lisa Campeau
Sent: Monday, November 12, 2012 3:10 PM
To:
Subject: RE: [Assurance] last question
So, how does this work out for you in actual practice in a university
setting?
For instance, a compromise of several dozen faculty members. Do you send out
a team to re-silver-credential? What about a bigger compromise, say several
hundred?
-----Original Message-----
From:
[mailto:]
On Behalf Of Jones, Mark B
Sent: Monday, November 12, 2012 2:28 PM
To:
Subject: RE: [Assurance] last question
My opinion is that a 'reset' password should be issued with the same
procedure as the 'initial' password. This may be the same point Tom was
making.
If a password needs to be reset, what you are saying is that the person that
owns the account is no longer in control of the account. This is the same
state as when the account was new and the owner did not yet know the password.
-----Original Message-----
From:
[mailto:]
On Behalf Of Tom Scavo
Sent: Monday, November 12, 2012 1:21 PM
To:
Subject: Re: [Assurance] last question
> If a Silver credential is compromised, can or should it be reset using
> the compromised credential
If a credential is compromised, it needs to be revoked ASAP, that is, it
should no longer be recognized as a valid authenticator.
> and/ or by answering security questions?
I don't believe the IAP gives guidance in the area of password reset (which
is what I think you're asking about) so let me give my opinion FWIW. A
password is only as strong as the password reset mechanism that goes along
with it. Recent events on the open Internet have clearly demonstrated that
the Bad Guy, when confronted with a strong authenticator, turns his/her
attention to the password reset process using social engineering tactics.
Tom
- [Assurance] last question, Lisa Campeau, 11/12/2012
- Re: [Assurance] last question, Tom Scavo, 11/12/2012
- RE: [Assurance] last question, Jones, Mark B, 11/12/2012
- RE: [Assurance] last question, Lisa Campeau, 11/12/2012
- RE: [Assurance] last question, Lisa Campeau, 11/12/2012
- RE: [Assurance] last question, Jones, Mark B, 11/12/2012
- RE: [Assurance] last question, Farmer, Jacob, 11/12/2012
- RE: [Assurance] last question, Lisa Campeau, 11/13/2012
- Re: [Assurance] last question, David Langenberg, 11/12/2012
- RE: [Assurance] last question, Jones, Mark B, 11/12/2012
- Re: [Assurance] last question, David Langenberg, 11/12/2012
- RE: [Assurance] last question, Jones, Mark B, 11/12/2012
- RE: [Assurance] last question, Lisa Campeau, 11/13/2012
- Re: [Assurance] last question, David Langenberg, 11/12/2012
- Re: [Assurance] last question, David Walker, 11/12/2012
- Re: [Assurance] last question, Tom Scavo, 11/12/2012
- Re: [Assurance] last question, David Bantz, 11/12/2012
- RE: [Assurance] last question, Jones, Mark B, 11/12/2012
- RE: [Assurance] last question, Jones, Mark B, 11/12/2012
- RE: [Assurance] last question, Lisa Campeau, 11/12/2012
- RE: [Assurance] last question, Lisa Campeau, 11/12/2012
- RE: [Assurance] last question, Jones, Mark B, 11/12/2012
- Re: [Assurance] last question, Tom Scavo, 11/12/2012
Archive powered by MHonArc 2.6.16.