This is what we decided as the of Identity and Access Management group. We were told to present the results to our departments to make sure there were not any glaring problems that need to be addressed.
Resetting password through Challenge/Response online
- Users will write 3 questions themselves and supply answers. The answers need to be a minimum of 9 characters. We will not be able to see these questions or their responses. I didn’t like the 9 character minimum, but only 1 other person shared this concern.
- When someone attempts to use the challenge system to reset their password the user’s official and 3rd party email addresses will get a notification that there was a successful or unsuccessful attempt.
Resetting password through 3rd party Email
User would identify themselves with their UIN and 3rd party email address. The address would need to have been supplied during profile creation or this option would not be available. The 3rd party email address will get an email with a link that is good for 4 hours or 1 use that will take them to the password reset part of the workflow.
Regarding privileged accounts
Not going to be a part of accounts that can be reset in Curion (so no adm or service accounts).
Resetting passwords over the phone
This is the area where there is the greatest contention. Originally it was proposed that this service not be provided, but CITES and me both argued for this service and the security team is going to look back into this. If there is a black and white guideline for what the helpdesk should say/try Chicago’s helpdesk would not be opposed to offer this service (UIC currently does not offer phone services for passwords). Apparently there is no good way to harvest data from Enterprise to help confirm the identity of the caller. As such we are gathering 1 question from the user that is to be used by Helpdesk staff only to assist in password recovery. The security group would like this ability to be limited to a small group of full time staff only (not students) in each location.
The ideas of proxies or having a call back number that could be supplied was proposed, but the call back number suffers the same problem as 3rd party emails (we can’t require them) and time sensitivity may prevent the user from waiting for a proxy to be available (also students wouldn’t have proxies).
If anyone has any concerns let me know.
Josh
I also have concerns about the 9 character requirement for answers to the security questions. That seems excessive ands an unnecessary barrier for users trying to come up with questions and answers that they can remember.
And I would like to see us be able to continue offering phone support, particularly for our emeriti faculty.
Couldn’t a secure phone number be established in the creation of the profile? The caller could be asked that number as part of the security screening process. The phone number is displayed on incoming calls to the help desk. Couldn’t we use the combination for verification?
I agree that the emeriti faculty phone support is essential.
I think the 9 character answers for security questions are pretty stringent. While a character minimum for passwords is a must, most people’s security questions are going to consist of answers that are names, objects, or places that will frequently be less than 9 characters.