Skip to Content.
Sympa Menu

assurance - Re: [Assurance] last question

Subject: Assurance

List archive

Re: [Assurance] last question


Chronological Thread 
  • From: David Langenberg <>
  • To:
  • Subject: Re: [Assurance] last question
  • Date: Mon, 12 Nov 2012 13:51:31 -0700

Addresses of Record here are either an external email address or
SMS-capable US phone number. They are managed by the user themselves.

Dave

On Mon, Nov 12, 2012 at 1:46 PM, Jones, Mark B
<>
wrote:
> What do you use for address of record?
>
> What you describe sounds similar to one of the plans we have discussed.
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of David Langenberg
> Sent: Monday, November 12, 2012 2:29 PM
> To:
>
> Subject: Re: [Assurance] last question
>
> Over here, what would happen in that case is each account would be locked.
> Then upon the faculty member contacting IT Security, Support, or our
> Identification and Privileges office and receiving any required education
> (ie don't reply to phishing email) the authorized support person will
> initiate a process which will send a one-time-use-password to the faculty
> member's address(es) of record which will enable them to reset their
> password. If IT Security believed that the addresses of record were also
> compromised, then faculty member would be required to follow the in-person
> proofing steps again.
>
> Dave
>
> On Mon, Nov 12, 2012 at 1:10 PM, Lisa Campeau
> <>
> wrote:
>> So, how does this work out for you in actual practice in a university
>> setting?
>>
>> For instance, a compromise of several dozen faculty members. Do you send
>> out a team to re-silver-credential? What about a bigger compromise, say
>> several hundred?
>>
>> -----Original Message-----
>> From:
>>
>> [mailto:]
>> On Behalf Of Jones, Mark B
>> Sent: Monday, November 12, 2012 2:28 PM
>> To:
>>
>> Subject: RE: [Assurance] last question
>>
>> My opinion is that a 'reset' password should be issued with the same
>> procedure as the 'initial' password. This may be the same point Tom was
>> making.
>>
>> If a password needs to be reset, what you are saying is that the person
>> that owns the account is no longer in control of the account. This is the
>> same state as when the account was new and the owner did not yet know the
>> password.
>>
>> -----Original Message-----
>> From:
>>
>> [mailto:]
>> On Behalf Of Tom Scavo
>> Sent: Monday, November 12, 2012 1:21 PM
>> To:
>>
>> Subject: Re: [Assurance] last question
>>
>>
>>
>>> If a Silver credential is compromised, can or should it be reset
>>> using the compromised credential
>>
>> If a credential is compromised, it needs to be revoked ASAP, that is, it
>> should no longer be recognized as a valid authenticator.
>>
>>> and/ or by answering security questions?
>>
>> I don't believe the IAP gives guidance in the area of password reset
>> (which is what I think you're asking about) so let me give my opinion
>> FWIW. A password is only as strong as the password reset mechanism that
>> goes along with it. Recent events on the open Internet have clearly
>> demonstrated that the Bad Guy, when confronted with a strong
>> authenticator, turns his/her attention to the password reset process using
>> social engineering tactics.
>>
>> Tom
>
>
>
> --
> David Langenberg
> Identity & Access Management
> The University of Chicago



--
David Langenberg
Identity & Access Management
The University of Chicago



Archive powered by MHonArc 2.6.16.

Top of Page