Assurance

[David Langenberg <>]

Over here, what would happen in that case is each account would be
locked.  Then upon the faculty member contacting IT Security, Support,
or our Identification and Privileges office and receiving any required
education (ie don't reply to phishing email) the authorized support
person will initiate a process which will send a one-time-use-password
to the faculty member's address(es) of record which will enable them
to reset their password.  If IT Security believed that the addresses
of record were also compromised, then faculty member would be required
to follow the in-person proofing steps again.

Dave

On Mon, Nov 12, 2012 at 1:10 PM, Lisa Campeau 
<>
 wrote:
> So, how does this work out for you in actual practice in a university 
> setting?
>
> For instance, a compromise of several dozen faculty members.  Do you send 
> out a team to re-silver-credential?  What about a bigger compromise, say 
> several hundred?
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Jones, Mark B
> Sent: Monday, November 12, 2012 2:28 PM
> To: 
> 
> Subject: RE: [Assurance] last question
>
> My opinion is that a 'reset' password should be issued with the same 
> procedure as the 'initial' password.  This may be the same point Tom was 
> making.
>
> If a password needs to be reset, what you are saying is that the person 
> that owns the account is no longer in control of the account.  This is the 
> same state as when the account was new and the owner did not yet know the 
> password.
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Tom Scavo
> Sent: Monday, November 12, 2012 1:21 PM
> To: 
> 
> Subject: Re: [Assurance] last question
>
>
>
>> If a Silver credential is compromised, can or should it be reset using
>> the compromised credential
>
> If a credential is compromised, it needs to be revoked ASAP, that is, it 
> should no longer be recognized as a valid authenticator.
>
>> and/ or by answering security questions?
>
> I don't believe the IAP gives guidance in the area of password reset (which 
> is what I think you're asking about) so let me give my opinion FWIW. A 
> password is only as strong as the password reset mechanism that goes along 
> with it. Recent events on the open Internet have clearly demonstrated that 
> the Bad Guy, when confronted with a strong authenticator, turns his/her 
> attention to the password reset process using social engineering tactics.
>
> Tom



-- 
David Langenberg
Identity & Access Management
The University of Chicago