Assurance

[David Langenberg <>]

On Wed, Aug 7, 2013 at 5:31 PM, Eric Goodman <> wrote:

 

> The above process is exactly what UChicago has submitted to our auditors

> for InCommon Silver.  Though we offer delivery of the secret over SMS

> in addition to email.

 

Thanks, and yes for purposes of this question, I’d think email, SMS and snail mail are roughly equivalent.

 

We also discussed whether calling a pre-registered phone number directly and talking to the individual would count, and similarly if the incoming caller ID number matching a pre-registered number would suffice (i.e., if I call from my registered number and say “give me a temporary password”, could the help desk just do so based on having validated your registered phone number?)

Calling a pre-registered number & having an automated robot give the secret IMO would be ok.  Having the individual call from a pre-registered number, that'd only work IMO if they're calling an automated system.  Calling the help-desk to get the secret is not, in my opinion ok.  Doing so invalidates the secret as once the help-desk person can see the secret it's no longer secret.  Allowing such a practice would effectively give each help-desk person the ability to take-over any Silver'd individual's account just by initiating a password reset + leveraging the admin account management screens.

In our system if IT Security locks a silver user for compromised credentials, the individual does have to call the help-desk to get the appropriate re-training (don't give password to phishers), however, all the helpdesk can do at that point is push a button which will transmit the secret to the pre-registered addresses of record.

Dave

--
David Langenberg

Identity & Access Management

The University of Chicago