Main Nav

For those of you who have self service password reset tools, do you maintain a list of users who are excluded from using the tool?  If so, how did you go about establishing your criteria?  

Shawn
-----
Shawn A. Kohrman, Security Architect

Azusa Pacific University
Information & Media Technology
901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
-----

Comments

Message from adamschumacher@creighton.edu

Maybe I am missing something obvious, but why would you want to exclude users from being able to reset their own password? Our self-service requires "multi-factor" authentication (answer security questions & access to external email account or cell phone), and unless the user has not provided the required information (or doesn't remember what it was), she should be able to reset the password. We encourage this as much as possible, as it reduces the load on the HD. Even if the customer calls the help desk and needs some kind of manual intervention (forgot answers, never set it up, etc), they will walk her through setting up and using the self-service tools so that next time maybe she will not need to call. ::Adam >
Excellent point Adam.  The particular case we were considering with this question was our high level people (provost, president, etc).  Namely, what would happen if someone were able to answer the challenge questions and take over their account.  How much damage could be caused in such an instance.  Granted, the likelihood of that happening is very low, but still...

I wanted to ask the question to determine if we were being overzealous on this particular point.  Thanks!

Shawn

-----
Shawn A. Kohrman, Security Architect

Azusa Pacific University
Information & Media Technology
901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
-----



Message from adamschumacher@creighton.edu

That is why we went with the two factor approach, to mitigate against a guessing attack. Most everyone has at least either a cell phone or a second email address. Of course, if they've used the same easily guessed questions for their external email password reset.... ::Adam > -----Original Message----- > From: The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shawn Kohrman > Sent: Thursday, July 05, 2012 17:47 > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Self Service Password Reset > > Excellent point Adam. The particular case we were considering with this > question was our high level people (provost, president, etc). Namely, what > would happen if someone were able to answer the challenge questions and > take over their account. How much damage could be caused in such an > instance. Granted, the likelihood of that happening is very low, but still... > > I wanted to ask the question to determine if we were being overzealous on > this particular point. Thanks! > > Shawn > > ----- > Shawn A. Kohrman, Security Architect > > > Azusa Pacific University > Information & Media Technology > 901 E. Alosta Ave., PO Box 7000 > Azusa, CA 91702-7000 > > P: 626.815.2054 | F: 626.815.2061 | http://www.apu.edu/ > ----- > > > >
We use People Password.  Users are basically on or off in the People Password system based on Active Directory OU's.  If other products work in a similar way, I suppose you could just put these particular users in their own OU to exclude them from your password reset system, right?

Best,
Brady Gallese
Susquehanna University


On Jul 5, 2012, at 6:47 PM, Shawn Kohrman wrote:

Excellent point Adam.  The particular case we were considering with this question was our high level people (provost, president, etc).  Namely, what would happen if someone were able to answer the challenge questions and take over their account.  How much damage could be caused in such an instance.  Granted, the likelihood of that happening is very low, but still...

I wanted to ask the question to determine if we were being overzealous on this particular point.  Thanks!

Shawn

-----
Shawn A. Kohrman, Security Architect

Azusa Pacific University
Information & Media Technology
901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
-----



We have certain accounts in which the password can't be reset via SSPR. Most higher level accounts (admin/service accts/etc) are excluded from the password reset utility and must be reset "from the inside." Otherwise, SSPR works well as we have an "opt in" approach and educate users on why they should participate. Our Help Desk assists users as Adam mentions below, but they first confirm identity via impromptu challenge questions from our SIS. Bob
Shawn, In our plans for a Fall go-live, the mechanisms people are allowed to use to reset a password are based on the risks associated with their accounts. The current working model is to assign a risk score between 1 and 50 to an account or role. We're actually only using 10,20,...50 but we wanted the extra space to allow for more granularity in the future. Authentication options for password reset include: -secret question/answer (KBA) -third party email OTP -cellphone OTP Future options providing more possible choices: - 2-factor tokens - Certificates - some of the fallback methods we're contemplating for the primary KBA/Email/Cell recovery: - webcam - supervisor vouch Ways account risk may affect the reset process: -The type of required authentication may vary with the risk associated with the account. -The number of required authenticators may vary with the risk associated with the account. -Required authenticators may vary depending on whether a person is on or off campus. -Required authenticators may vary depending upon whether the device being used has been used by the person in the past. Accounts associated with the highest risks, for example IT accounts with high privileges across a range of systems, would not be able to perform a reset from off-campus at all. Secret questions are poor passwords subject to social engineering attacks as we've all seen in the news. A password protecting personal third party email, which may be tied to youtube, maps, facebook, and who knows what else, used from who knows what type of computing devices and stored/cached on them, isn't particularly trustworthy. Cellphones provide a little more security. But for the handful of people who could compromise an entire IT infrastructure, I believe that the convenience to an individual of password reset is overridden by potential losses to the organization and its constituents should such an account become compromised. Shawn Kohrman wrote: > For those of you who have self service password reset tools, do you > maintain a list of users who are excluded from using the tool? If so, how > did you go about establishing your criteria? > > Shawn > ----- > Shawn A. Kohrman, Security Architect > > Azusa Pacific University > Information & Media Technology > 901 E. Alosta Ave., PO Box 7000 > Azusa, CA 91702-7000 > > P: 626.815.2054 | F: 626.815.2061 | http://www.apu.edu/ > ----- > -- Gary Flynn Security Engineer James Madison University

I know the vendor that we use for Password Reset does recommend that you specifically block IT Staff accounts from enrollment via the system.  (Particularly privileged accounts).    Depending upon how you are setup, one reason to block some accounts, for example is if you cannot easily control whether those with Help Desk administrative reset capability, for example, perhaps students- can potentially reset privileged accounts or executive accounts and potentially access data privileged information.  Of course, there are ways to properly manage this in some systems, such as Active Directory, but sometimes directory structure is designed for several purposes that don’t always neatly fit into every neat category of business function that applications might need.

D/C

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU]
Sent: Thursday, July 05, 2012 6:38 PM
To: Dexter Caldwell; SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self Service Password Reset
Importance: Low

 

Maybe I am missing something obvious, but why would you want to exclude users from being able to reset their own password?  Our self-service requires "multi-factor" authentication (answer security questions & access to external email account or cell phone), and unless the user has not provided the required information (or doesn't remember what it was), she should be able to reset the password.  We encourage this as much as possible, as it reduces the load on the HD.  Even if the customer calls the help desk and needs some kind of manual intervention (forgot answers, never set it up, etc), they will walk her through setting up and using the self-service tools so that next time maybe she will not need to call.

 

::Adam

 

>

Message from aperry@murraystate.edu

Now there's a question that can spider fairly quickly. Let's begin by asking "Which password?" Does your facility have consolidated credentials, such that there is one password for everything? In our case, we have consolidated identity (username), but each password can be (but most often isn't) unique. However, our central ERP system has a consolidated pane (pain?) for resetting each separate password all in one place. Resetting your ERP password requires either answering 2 security questions chosen at random from a larger pool, OR a visit to the help desk. There is the ability for remote users to receive a password reset for the ERP system via official email, but that's assuming you also remember your email password. You see how quickly this can get fairly complicated?

Our long-term goal is a simple backend solution where setting your ERP password resets all of your other passwords to the same at the same time. We already have the hooks in place since ERP resets all others. But there are licensing and political roadblocks keeping that solution from manifesting. User credentialing has long been the bane of Information Security. As Matt Honan wrote in wired, "passwords are broken." But until alternative identification methods are more ubiquitous, they're what we have.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

***MSU Information Systems staff will never ask for your password or other confidential information via email.***



We have recently implemented the Microsoft Forefront Identity Management (FIM) password portal and it has worked very nicely for us to provide a mechanism to for users to reset their own passwords.  Part of our Google Apps for Education migration process required all users to reset their passwords.  We used this time to implement FIM, register reset questions, change passwords, and sync those passwords with Google.  In addition, the portal works well as the location Google sends users to change passwords via the Google change password links.

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.


How are you going to handle the news that Microsoft is pulling most of their Forefront product line?  I know they are going to provide support for a couple more years, but - it feels like they are leaving us hanging??
 
M
 
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Santabarbara, Angelo [asantabarbara@SIENA.EDU]
Sent: Monday, January 14, 2013 9:10 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password Reset

We have recently implemented the Microsoft Forefront Identity Management (FIM) password portal and it has worked very nicely for us to provide a mechanism to for users to reset their own passwords.  Part of our Google Apps for Education migration process required all users to reset their passwords.  We used this time to implement FIM, register reset questions, change passwords, and sync those passwords with Google.  In addition, the portal works well as the location Google sends users to change passwords via the Google change password links.

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.


It is true that Microsoft identified and are ending support for many of the Forefront security solutions on December 31, 2015.  However, Forefront Identity Management is not impacted in any way.

From Microsoft:


It is important to note that there are no significant changes to the Forefront Identity Manager or Forefront Unified Access Gateway roadmaps.  These solutions continue to be actively developed.  Forefront UAG 2010 SP2 was released in August 2012 and Forefront Identity Manager 2010 R2 was release in June 2012. 

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

***Siena ITS staff will NEVER ask for your password or other confidential information via email.***

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.


 

I’ve heard about Forefront before but haven’t seen anything official.  Do you have a link?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Monday, January 14, 2013 11:39 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password Reset

 

How are you going to handle the news that Microsoft is pulling most of their Forefront product line?  I know they are going to provide support for a couple more years, but - it feels like they are leaving us hanging??

 

M

 

From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Santabarbara, Angelo [asantabarbara@SIENA.EDU]
Sent: Monday, January 14, 2013 9:10 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password Reset

We have recently implemented the Microsoft Forefront Identity Management (FIM) password portal and it has worked very nicely for us to provide a mechanism to for users to reset their own passwords.  Part of our Google Apps for Education migration process required all users to reset their passwords.  We used this time to implement FIM, register reset questions, change passwords, and sync those passwords with Google.  In addition, the portal works well as the location Google sends users to change passwords via the Google change password links.

 

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.

 

http://www.microsoft.com/en-us/server-cloud/forefront/identity-manager.aspx

It was included with our Microsoft campus license so cost wise it made sense.

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

***Siena ITS staff will NEVER ask for your password or other confidential information via email.***

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.


As we move further into distance learning and remote locations, how are you handling users who forgot their password?  Do you have software in place that allows users to reset their own passwords?  Was it purchased or written in-house?   If you don’t have any software that does this is it cost or security concerns that are presenting the biggest road blocks?

 

 

Jason Rinne

Systems Administrator

500 E. College Street ∙ Marshall, MO 65340

P 660-831-4088 

rinnej@moval.edu



This document may contain confidential information and is intended solely for the use of the addressee. If you received it in error, please contact the sender at once and destroy the document. The document may contain information subject to restrictions of the Family Educational Rights and Privacy and the Gramm-Leach-Bliley Acts. Such information may not be disclosed or used in any fashion outside the scope of the service for which you are receiving the information.

 

Message from aperry@murraystate.edu

Now there's a question that can spider fairly quickly. Let's begin by asking "Which password?" Does your facility have consolidated credentials, such that there is one password for everything? In our case, we have consolidated identity (username), but each password can be (but most often isn't) unique. However, our central ERP system has a consolidated pane (pain?) for resetting each separate password all in one place. Resetting your ERP password requires either answering 2 security questions chosen at random from a larger pool, OR a visit to the help desk. There is the ability for remote users to receive a password reset for the ERP system via official email, but that's assuming you also remember your email password. You see how quickly this can get fairly complicated?

Our long-term goal is a simple backend solution where setting your ERP password resets all of your other passwords to the same at the same time. We already have the hooks in place since ERP resets all others. But there are licensing and political roadblocks keeping that solution from manifesting. User credentialing has long been the bane of Information Security. As Matt Honan wrote in wired, "passwords are broken." But until alternative identification methods are more ubiquitous, they're what we have.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

***MSU Information Systems staff will never ask for your password or other confidential information via email.***



We have recently implemented the Microsoft Forefront Identity Management (FIM) password portal and it has worked very nicely for us to provide a mechanism to for users to reset their own passwords.  Part of our Google Apps for Education migration process required all users to reset their passwords.  We used this time to implement FIM, register reset questions, change passwords, and sync those passwords with Google.  In addition, the portal works well as the location Google sends users to change passwords via the Google change password links.

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.


How are you going to handle the news that Microsoft is pulling most of their Forefront product line?  I know they are going to provide support for a couple more years, but - it feels like they are leaving us hanging??
 
M
 
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Santabarbara, Angelo [asantabarbara@SIENA.EDU]
Sent: Monday, January 14, 2013 9:10 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password Reset

We have recently implemented the Microsoft Forefront Identity Management (FIM) password portal and it has worked very nicely for us to provide a mechanism to for users to reset their own passwords.  Part of our Google Apps for Education migration process required all users to reset their passwords.  We used this time to implement FIM, register reset questions, change passwords, and sync those passwords with Google.  In addition, the portal works well as the location Google sends users to change passwords via the Google change password links.

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.


It is true that Microsoft identified and are ending support for many of the Forefront security solutions on December 31, 2015.  However, Forefront Identity Management is not impacted in any way.

From Microsoft:


It is important to note that there are no significant changes to the Forefront Identity Manager or Forefront Unified Access Gateway roadmaps.  These solutions continue to be actively developed.  Forefront UAG 2010 SP2 was released in August 2012 and Forefront Identity Manager 2010 R2 was release in June 2012. 

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

***Siena ITS staff will NEVER ask for your password or other confidential information via email.***

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.


 

I’ve heard about Forefront before but haven’t seen anything official.  Do you have a link?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Monday, January 14, 2013 11:39 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password Reset

 

How are you going to handle the news that Microsoft is pulling most of their Forefront product line?  I know they are going to provide support for a couple more years, but - it feels like they are leaving us hanging??

 

M

 

From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Santabarbara, Angelo [asantabarbara@SIENA.EDU]
Sent: Monday, January 14, 2013 9:10 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password Reset

We have recently implemented the Microsoft Forefront Identity Management (FIM) password portal and it has worked very nicely for us to provide a mechanism to for users to reset their own passwords.  Part of our Google Apps for Education migration process required all users to reset their passwords.  We used this time to implement FIM, register reset questions, change passwords, and sync those passwords with Google.  In addition, the portal works well as the location Google sends users to change passwords via the Google change password links.

 

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.

 

http://www.microsoft.com/en-us/server-cloud/forefront/identity-manager.aspx

It was included with our Microsoft campus license so cost wise it made sense.

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

***Siena ITS staff will NEVER ask for your password or other confidential information via email.***

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.


I submitted the question to some Microsoft contacts and was directed to this url:

 

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Monday, January 14, 2013 11:39 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password Reset

 

How are you going to handle the news that Microsoft is pulling most of their Forefront product line?  I know they are going to provide support for a couple more years, but - it feels like they are leaving us hanging??

 

M

 

From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Santabarbara, Angelo [asantabarbara@SIENA.EDU]
Sent: Monday, January 14, 2013 9:10 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password Reset

We have recently implemented the Microsoft Forefront Identity Management (FIM) password portal and it has worked very nicely for us to provide a mechanism to for users to reset their own passwords.  Part of our Google Apps for Education migration process required all users to reset their passwords.  We used this time to implement FIM, register reset questions, change passwords, and sync those passwords with Google.  In addition, the portal works well as the location Google sends users to change passwords via the Google change password links.

 

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara@siena.edu

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message.

 

We are currently looking into purchasing a self-service password reset tool for our student population and were looking to see what other colleges and universities were using. One of the problems we hope to address by purchasing a tool will be to stop sending out student account information in the mail, our hope is that we can pre-populate answers to security questions upon admission to the school, then have students go to the portal, answer the questions and receive a “Choose new password” prompt without us needing to create an initial password.

 

Any help is greatly appreciated.

 

Bradford Moore

Network Services Coordinator

Regis College

781-768-7177

 

***Please note that no Regis College IT professional will ever ask for password or personal information via email.  Such requests are fraudulent.***

 

 

We want to do something similar using MS’s Forefront Identity Manager – but – we just had a monkey-wrench thrown in to the machinery.  Apparently – due to recent changes in FERPA, there are certain personally-identifiable data points, (questions), that you can no longer ask students to use for password resets…..??  Has anyone else run into this? 

 

Thanks,

 

Michael

 

 

If this is the first time you're doing this and you're the kind of place who might be interested in using opensource software, take a look at PWM (which I believe currently lives at http://code.google.com/p/pwm/).  We're no longer using it as we are now using a tool that is packages with our identity management product, but we used it for a while and were happy with it's operation.  It's not very pretty out of the box, but a good Web person can give it some love fairly quickly and it works from a mobile.

__
Amy Pearlman
Head of Support Services
Bryn Mawr College Information Services
610-526-7447
__
Bryn Mawr College Information Services will never ask you to give or send us your password, especially via email. Please keep your password private to protect your identity and the security of our network.

Find information and updates at http://is.blogs.brynmawr.edu

From: "Moore Bradford" <bradford.moore@REGISCOLLEGE.EDU>
To: ITSUPPORTSERVICES@LISTSERV.EDUCAUSE.EDU
Sent: Friday, February 28, 2014 12:38:36 PM
Subject: [ITSUPPORTSERVICES] Self Service Password Reset

We are currently looking into purchasing a self-service password reset tool for our student population and were looking to see what other colleges and universities were using. One of the problems we hope to address by purchasing a tool will be to stop sending out student account information in the mail, our hope is that we can pre-populate answers to security questions upon admission to the school, then have students go to the portal, answer the questions and receive a “Choose new password” prompt without us needing to create an initial password.

 

Any help is greatly appreciated.

 

Bradford Moore

Network Services Coordinator

Regis College

781-768-7177

 

***Please note that no Regis College IT professional will ever ask for password or personal information via email.  Such requests are fraudulent.***

 

 


We are looking at something (PortalGuard) that will allow for self-service password resets, but that isn't using security questions, but rather an out-of-band communications channel.

During application we get a cell-phone, or land-line phone number, and we then would authenticate the user using a text/voice message to that number. Effectively a token that has to be entered in to the interface.

We're not quite to the point where we *are* going to be using this system, so any feedback anybody has would be appreciated. 

Thank You


Frank,

 

PortalGuard is high on our list as well for features at a reasonable cost. We considered this with 2 factor authorization. If anyone has something similar to this I’d love to hear about it.

 

Thanks again,

 

 

Bradford Moore

Network Services Coordinator

Regis College

781-768-7177

 

***Please note that no Regis College IT professional will ever ask for password or personal information via email.  Such requests are fraudulent.***

 

 

From: The EDUCAUSE IT Support Services Constituent Group Listserv [mailto:ITSUPPORTSERVICES@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Barton
Sent: Friday, February 28, 2014 1:16 PM
To: ITSUPPORTSERVICES@LISTSERV.EDUCAUSE.EDU
Subject: Re: [ITSUPPORTSERVICES] Self Service Password Reset

 

We are looking at something (PortalGuard) that will allow for self-service password resets, but that isn't using security questions, but rather an out-of-band communications channel.

 

During application we get a cell-phone, or land-line phone number, and we then would authenticate the user using a text/voice message to that number. Effectively a token that has to be entered in to the interface.

 

We're not quite to the point where we *are* going to be using this system, so any feedback anybody has would be appreciated. 

 

Thank You

 

We built our own.  I hadn't heard about this FERPA change -- do you have a link to where that is documented?

-- Scott


I’m interested in knowing what these FERPA changes are as well, please share.

 

Thanks!

 

 

Kent Corser | Director, IT Technical and Client Operations

Main 800.755.5200   |  Fax 785.242.0182
Direct 785.248.2494  |  OU Help 855.268.4357


www.ottawa.edu | kent.corser@ottawa.edu

 

From: The EDUCAUSE IT Support Services Constituent Group Listserv [mailto:ITSUPPORTSERVICES@LISTSERV.EDUCAUSE.EDU] On Behalf Of Krajewski, Scott
Sent: Tuesday, March 04, 2014 11:22 AM
To: ITSUPPORTSERVICES@LISTSERV.EDUCAUSE.EDU
Subject: Re: [ITSUPPORTSERVICES] Self Service Password Reset

 

We built our own.  I hadn't heard about this FERPA change -- do you have a link to where that is documented?

 

-- Scott

 

Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.