This is what we decided as the of Identity and Access Management group.  We were told to present the results to our departments to make sure there were not any glaring problems that need to be addressed.

Resetting password through Challenge/Response online

•      Users will write 3 questions themselves and supply answers.  The answers need to be a minimum of 9 characters.  We will not be able to see these questions or their responses.  I didn’t like the 9 character minimum, but only 1 other person shared this concern.
•      When someone attempts to use the challenge system to reset their password the user’s official and 3^rd party email addresses will get a notification that there was a successful or unsuccessful attempt.

Resetting password through 3^rd party Email

User would identify themselves with their UIN and 3^rd party email address.  The address would need to have been supplied during profile creation or this option would not be available.  The 3^rd party email address will get an email with a link that is good for 4 hours or 1 use that will take them to the password reset part of the workflow.

Regarding privileged accounts

Not going to be a part of accounts that can be reset in Curion (so no adm or service accounts).

Resetting passwords over the phone

This is the area where there is the greatest contention.  Originally it was proposed that this service not be provided, but CITES and me both argued for this service and the security team is going to look back into this.  If there is a black and white guideline for what the helpdesk should say/try Chicago’s helpdesk would not be opposed to offer this service (UIC currently does not offer phone services for passwords).  Apparently there is no good way to harvest data from Enterprise to help confirm the identity of the caller.  As such we are gathering 1 question from the user that is to be used by Helpdesk staff only to assist in password recovery.  The security group would like this ability to be limited to a small group of full time staff only (not students) in each location.

The ideas of proxies or having a call back number that could be supplied was proposed, but the call back number suffers the same problem as 3^rd party emails (we can’t require them) and time sensitivity may prevent the user from waiting for a proxy to be available (also students wouldn’t have proxies).

If anyone has any concerns let me know.
Josh

As many of you may know I have been working with the other campus on trying out two Endpoint Management systems. The IBM EM (formerly Bigfix) is up and running and if you would like to be a part of the testing process there is a download on our software share to get the client (\\uisdata1\Stayout$\Bigfix).

Also in that directory is a “big fix – 2012” folder with a text file that contains instructions for both windows and mac. If you have any questions about EM let me know.

Josh

Users on the AT&T network cannot access UIS resources (www.uis.edu, bb.uis.edu, etc).  This outage seems to affect both LAN lines and Mobile networks and is a problem on their end (nothing we can do).