Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Password reset process: Flogging the dead horse

Subject: Assurance

List archive

Re: [Assurance] Password reset process: Flogging the dead horse


Chronological Thread 
  • From: David Langenberg <>
  • To: "" <>
  • Subject: Re: [Assurance] Password reset process: Flogging the dead horse
  • Date: Thu, 8 Aug 2013 08:03:19 -0600

 You could exclude the use of on-campus phones for this purpose and use the same registration methods you used for SMS. That should narrow down the shared use phone scenarios to just the home. 

Dave

On Thursday, August 8, 2013, Jones, Mark B wrote:

I don’t like the phone options as it is too easy for someone to access your phone.  For instance, my supervisor is out of his office more than he is in.  There is no password on his phone.  Also, he is not the only person that is expected to answer his phone.

 

 

 

> The above process is exactly what UChicago has submitted to our auditors

> for InCommon Silver.  Though we offer delivery of the secret over SMS

> in addition to email.

 

Thanks, and yes for purposes of this question, I’d think email, SMS and snail mail are roughly equivalent.

 

We also discussed whether calling a pre-registered phone number directly and talking to the individual would count, and similarly if the incoming caller ID number matching a pre-registered number would suffice (i.e., if I call from my registered number and say “give me a temporary password”, could the help desk just do so based on having validated your registered phone number?)

 

--- Eric



--
David Langenberg
Identity & Access Management
The University of Chicago




Archive powered by MHonArc 2.6.16.

Top of Page