Assurance

["Jones, Mark B" <>]

Yep.  We had not discussed SMS but we are looking at external email.  We also 
allow users to reset their own password if they can authenticate with their 
InCommon certificate.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of David Langenberg
Sent: Monday, November 12, 2012 2:52 PM
To: 

Subject: Re: [Assurance] last question

Addresses of Record here are either an external email address or SMS-capable 
US phone number.  They are managed by the user themselves.

Dave

On Mon, Nov 12, 2012 at 1:46 PM, Jones, Mark B 
<>
 wrote:
> What do you use for address of record?
>
> What you describe sounds similar to one of the plans we have discussed.
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of David Langenberg
> Sent: Monday, November 12, 2012 2:29 PM
> To: 
> 
> Subject: Re: [Assurance] last question
>
> Over here, what would happen in that case is each account would be locked.  
> Then upon the faculty member contacting IT Security, Support, or our 
> Identification and Privileges office and receiving any required education 
> (ie don't reply to phishing email) the authorized support person will 
> initiate a process which will send a one-time-use-password to the faculty 
> member's address(es) of record which will enable them to reset their 
> password.  If IT Security believed that the addresses of record were also 
> compromised, then faculty member would be required to follow the in-person 
> proofing steps again.
>
> Dave
>
> On Mon, Nov 12, 2012 at 1:10 PM, Lisa Campeau 
> <>
>  wrote:
>> So, how does this work out for you in actual practice in a university 
>> setting?
>>
>> For instance, a compromise of several dozen faculty members.  Do you send 
>> out a team to re-silver-credential?  What about a bigger compromise, say 
>> several hundred?
>>
>> -----Original Message-----
>> From: 
>> 
>> [mailto:]
>>  On Behalf Of Jones, Mark B
>> Sent: Monday, November 12, 2012 2:28 PM
>> To: 
>> 
>> Subject: RE: [Assurance] last question
>>
>> My opinion is that a 'reset' password should be issued with the same 
>> procedure as the 'initial' password.  This may be the same point Tom was 
>> making.
>>
>> If a password needs to be reset, what you are saying is that the person 
>> that owns the account is no longer in control of the account.  This is the 
>> same state as when the account was new and the owner did not yet know the 
>> password.
>>
>> -----Original Message-----
>> From: 
>> 
>> [mailto:]
>>  On Behalf Of Tom Scavo
>> Sent: Monday, November 12, 2012 1:21 PM
>> To: 
>> 
>> Subject: Re: [Assurance] last question
>>
>>
>>
>>> If a Silver credential is compromised, can or should it be reset 
>>> using the compromised credential
>>
>> If a credential is compromised, it needs to be revoked ASAP, that is, it 
>> should no longer be recognized as a valid authenticator.
>>
>>> and/ or by answering security questions?
>>
>> I don't believe the IAP gives guidance in the area of password reset 
>> (which is what I think you're asking about) so let me give my opinion 
>> FWIW. A password is only as strong as the password reset mechanism that 
>> goes along with it. Recent events on the open Internet have clearly 
>> demonstrated that the Bad Guy, when confronted with a strong 
>> authenticator, turns his/her attention to the password reset process using 
>> social engineering tactics.
>>
>> Tom
>
>
>
> --
> David Langenberg
> Identity & Access Management
> The University of Chicago



--
David Langenberg
Identity & Access Management
The University of Chicago