Assurance

[David Walker <>]

Exactly.  The credential reset process doesn't need to be the same as the initial credentialing process, it just has to meet the same IAP criteria.  Once the IdPO has a relationship with someone, they can leverage additional information to facilitate later resets.  For example, a cell phone number could be verified during the initial process and used to transmit a short-term token as part of a reset process without needing face-to-face interaction.

David Walker

On Mon, 2012-11-12 at 13:28 -0700, David Langenberg wrote:
> Over here, what would happen in that case is each account would be
> locked.  Then upon the faculty member contacting IT Security, Support,
> or our Identification and Privileges office and receiving any required
> education (ie don't reply to phishing email) the authorized support
> person will initiate a process which will send a one-time-use-password
> to the faculty member's address(es) of record which will enable them
> to reset their password.  If IT Security believed that the addresses
> of record were also compromised, then faculty member would be required
> to follow the in-person proofing steps again.
>
> Dave
>
> On Mon, Nov 12, 2012 at 1:10 PM, Lisa Campeau <> wrote:
> > So, how does this work out for you in actual practice in a university setting?
> >
> > For instance, a compromise of several dozen faculty members.  Do you send out a team to re-silver-credential?  What about a bigger compromise, say several hundred?
> >
> > -----Original Message-----
> > From:  [] On Behalf Of Jones, Mark B
> > Sent: Monday, November 12, 2012 2:28 PM
> > To: 
> > Subject: RE: [Assurance] last question
> >
> > My opinion is that a 'reset' password should be issued with the same procedure as the 'initial' password.  This may be the same point Tom was making.
> >
> > If a password needs to be reset, what you are saying is that the person that owns the account is no longer in control of the account.  This is the same state as when the account was new and the owner did not yet know the password.
> >
> > -----Original Message-----
> > From:  [] On Behalf Of Tom Scavo
> > Sent: Monday, November 12, 2012 1:21 PM
> > To: 
> > Subject: Re: [Assurance] last question
> >
> >
> >
> >> If a Silver credential is compromised, can or should it be reset using
> >> the compromised credential
> >
> > If a credential is compromised, it needs to be revoked ASAP, that is, it should no longer be recognized as a valid authenticator.
> >
> >> and/ or by answering security questions?
> >
> > I don't believe the IAP gives guidance in the area of password reset (which is what I think you're asking about) so let me give my opinion FWIW. A password is only as strong as the password reset mechanism that goes along with it. Recent events on the open Internet have clearly demonstrated that the Bad Guy, when confronted with a strong authenticator, turns his/her attention to the password reset process using social engineering tactics.
> >
> > Tom