Assurance

[David Langenberg <>]

 You could exclude the use of on-campus phones for this purpose and use the same registration methods you used for SMS. That should narrow down the shared use phone scenarios to just the home.

Dave

On Thursday, August 8, 2013, Jones, Mark B wrote:

I don’t like the phone options as it is too easy for someone to access your phone.  For instance, my supervisor is out of his office more than he is in.  There is no password on his phone.  Also, he is not the only person that is expected to answer his phone.

 

From: [mailto:] On Behalf Of Eric Goodman
Sent: Wednesday, August 07, 2013 6:31 PM
To:
Subject: RE: [Assurance] Password reset process: Flogging the dead horse

 

 

> The above process is exactly what UChicago has submitted to our auditors

> for InCommon Silver.  Though we offer delivery of the secret over SMS

> in addition to email.

 

Thanks, and yes for purposes of this question, I’d think email, SMS and snail mail are roughly equivalent.

 

We also discussed whether calling a pre-registered phone number directly and talking to the individual would count, and similarly if the incoming caller ID number matching a pre-registered number would suffice (i.e., if I call from my registered number and say “give me a temporary password”, could the help desk just do so based on having validated your registered phone number?)

 

--- Eric

-- 
David Langenberg

Identity & Access Management

The University of Chicago