Assurance

["Jones, Mark B" <>]

I guess I only answered half of your question.  Compromised accounts should 
get deactivated.  After that it doesn't matter why the user needs a reset the 
process should be the same.

But this is where I admit that we are not doing this.  Our users, like most I 
imagine, are used to an easy password reset procedure.  But there is 
increasing interest in harmonizing password reset procedures with initial 
credential issuance procedures.  This will mean that it will be more 
inconvenient for users to forget their passwords.

I do think that if you have a mass compromise that it could make sense to 
send a RA to the users as opposed to having users go to the RA.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Lisa Campeau
Sent: Monday, November 12, 2012 2:20 PM
To: 

Subject: RE: [Assurance] last question

And what if it's just potential compromise?  And the personnel may or may not 
have the id needed with them?  Just trying to throw some real scenarios into 
how to make this work in a situation we could face, and be ready for it.

- Lisa

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Lisa Campeau
Sent: Monday, November 12, 2012 3:10 PM
To: 

Subject: RE: [Assurance] last question

So, how does this work out for you in actual practice in a university 
setting?  

For instance, a compromise of several dozen faculty members.  Do you send out 
a team to re-silver-credential?  What about a bigger compromise, say several 
hundred?

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Jones, Mark B
Sent: Monday, November 12, 2012 2:28 PM
To: 

Subject: RE: [Assurance] last question

My opinion is that a 'reset' password should be issued with the same 
procedure as the 'initial' password.  This may be the same point Tom was 
making.  

If a password needs to be reset, what you are saying is that the person that 
owns the account is no longer in control of the account.  This is the same 
state as when the account was new and the owner did not yet know the password.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Monday, November 12, 2012 1:21 PM
To: 

Subject: Re: [Assurance] last question



> If a Silver credential is compromised, can or should it be reset using 
> the compromised credential

If a credential is compromised, it needs to be revoked ASAP, that is, it 
should no longer be recognized as a valid authenticator.

> and/ or by answering security questions?

I don't believe the IAP gives guidance in the area of password reset (which 
is what I think you're asking about) so let me give my opinion FWIW. A 
password is only as strong as the password reset mechanism that goes along 
with it. Recent events on the open Internet have clearly demonstrated that 
the Bad Guy, when confronted with a strong authenticator, turns his/her 
attention to the password reset process using social engineering tactics.

Tom