Main Nav

It's been a few years since this has come up on the list, so here goes.

For various administrative reasons having nothing to do with security we need to make some big changes to our self-service password reset approach, and I'm trying to capitalize on the opportunity to improve its security at the same time. At the moment, we do what (we think) many other schools do -- provide student id number, netid (username), and date of birth, and you can reset your password. The problem with this is, of course, it was never that hard to come up with that information in the first place, and the combination of students doing more and more stuff online and the growing use of social media makes it just that much easier.

So... what other approaches are you taking?

There is of course the "pick a few security questions" approach. But it's hard to come up with a set of questions whose answers aren't trivial to guess (either because they have little if any entropy or because the answer is on Facebook). And if you do manage to come up with a set of hard questions, people can't remember what their answers were. Do you use this approach? If so, how have you addressed these problems?

We've been tossing around the idea of using something similar to the "email confirmation" links you see many forum-type websites use. In this approach, we would ask the user for some identifying information (netid, student id number, etc.) and then look up the email addresses we have on file. The user could choose any non-university email address in the list, and we would send a randomly-generated URL to that account, which the user could then click on to reset his/her password. Users for whom we have no alternative email on file (or for whom all the ones we have on file are "no good") would have to call the help desk. Does anybody use an approach like this? How well is it working (or not working)?

Any other "interesting" approaches out there?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu


Comments

Message from ryan@ryanhiebert.com

We are considering implementing something like that as well.

The two parts we are considering are account creation, and password reset.

For account creation, the new user will need to identify themselves by some meaningful combination of name, id number, social security number, and birthday. It is true that this could be done by someone other than the individual themselves, but we expect that issues that will arise from it will be able to be handled manually. Once identity is confirmed in this manner, we require them to give us a valid external email address, to which we will send a password reset link, which will activate their account.

The password reset will reuse the email functionality from the account creation process, except that the user will not be allowed to specify an email address, since one should already be on file for the user.

Users without external email addresses on file would have to call the help desk.

We haven't implemented it yet, so I can't give any feedback on how well it works.

Ryan

We use two parts similar to what Ryan described. There is account claiming and password resets. In claiming the individuals account exists but they don't know the password. They vet themselves based on information they gave the institution in the admissions process that are now part of their student record. Currently this is used for password resets as well but we are shifting to allowing users to set 3 security questions after the vetting process. For resets they would now need their username and piece of personal information, such as a birth date, and after verifying that information they see 2 of there 3 questions they choose and provided answers for. If they get them right they can reset their password. If they fail they get one more opportunity, this time with the question previously unused as one of the 2 presented. This is the last try. Success and failure messages are sent to all email addresses on record for the individual. If the individual does not have 3 security questions set they are forced back to the vetting process used for account claiming. If an individual has elected to place a FERPA directory hold on their student record for privacy reasons, the account does not exist or they fail to vet the self-service interface prints a generic helpdesk contact information page that is the same for all those scenarios. 

One condition with regard to the challenge/response questions is the response can not be in the challenge. So "What color is your blue car?" with the answer "blue" is not allowed for list selected questions or user provided questions. 

The helpdesks have no ability to set passwords for accounts. They can administratively set challenge/responses for an account but the user must use them to gain access to the self-service reset tool then select new challenge/responses and reset their password. 

Because the password they are trying to reset gets them access to their institutional email account and distrust of any email addresses they give us from other providers sending an email with a url or code to reset the password was not a viable option for us.

Nathan

Dave,

 

It’s good to see others considering the progressive approach that other industries have already adopted. Security questions are fraught with problems and put the users’ accounts with other organizations at risk.

 

We’ve been designing and developing a system to move from password resets via answering security questions to resets via unique code sent to an alternate email address or mobile phone number via SMS. It’s entirely optional, but since we’ll be phasing out (and deleting) the security questions and answers, the next available disclosed alternative will be a physical visit to an authorized office who will require ID to be displayed. We’re bundling the new process with a change from a typical password complexity/composition policy to a 15+ character passphrase. We’re doing usability testing with a range of users right now and our pilot starts in March.

 

--

Steve Werby

Information Security Officer

Office of Information Security (OIS)

The University of Texas at San Antonio

 

We are looking at these processes, too.  I am surprised to read Steve's response about phasing out security questions and answers.  We just implemented this in 2011 and it has been very helpful.  With multiple campuses and online learning, we can't expect our constituents to visit campus.  We accept a faxed photo identity, along with other security information, and will call back with IDs and a pin reset that is forced on first login.

Account claiming - specifically providing the student ID number - is our biggest challenge.  How are you folks handling that?  We used to have a discovery web site, but we were told it wasn't FERPA compliant to display student ID like that.  Then we switched the site to email the ID, but that didn't work because the individual didn't have access to email if they hadn't set it up, and they needed the ID to set it up (catch-22).

Appreciate the discussion -
Theresa

Message from r-safian@northwestern.edu

In my mind, there’s no doubt that security Q & A’s are considered effective by both the users and the help desk team.  OTOH, from the security point of view they are a huge risk.  Especially in education.  Our constituents are too young for many questions to be effective, so things like “what street did you grow up on?” or “What was your first car?” may in fact be the street they live on, or the car they drive, now.  In addition, people choose poor questions if they can make their own.  “What color is an orange?”  The number of compromises of celebrity accounts shows just how risky these questions are.  Personally I’d love to ditch them, but, I would need something more effective, and some way to pay for it.  I’d like to see something tied to their phone.  Maybe they register their cell, and we sms them a temp password.  Not ideal, as people can be overseas, but I think it would be safer.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Theresa Rowe
Sent: Tuesday, February 14, 2012 8:00 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

We are looking at these processes, too.  I am surprised to read Steve's response about phasing out security questions and answers.  We just implemented this in 2011 and it has been very helpful.  With multiple campuses and online learning, we can't expect our constituents to visit campus.  We accept a faxed photo identity, along with other security information, and will call back with IDs and a pin reset that is forced on first login.

Account claiming - specifically providing the student ID number - is our biggest challenge.  How are you folks handling that?  We used to have a discovery web site, but we were told it wasn't FERPA compliant to display student ID like that.  Then we switched the site to email the ID, but that didn't work because the individual didn't have access to email if they hadn't set it up, and they needed the ID to set it up (catch-22).

Appreciate the discussion -
Theresa

We've recently looked at a product that does use the phone to send a separate code:  Telesign (telesign.com).  Any comments from a current user out there?

Theresa

We're not using Telesign, but it reminds me of a system we use here for authentication during telephone calls.  When someone calls us and we need proof that the person is who he says he is (like wants to talk about confidential matters), we ask him to go to a certain Web page, login there, then read the one-time-use generated token.  The telephone operator then enters this on a different Web page, and it indicates which netID generated that token.  It's much more secure than asking a bunch of questions, and hoping that only the correct person can answer those questions correctly.

On 2/14/2012 8:41 AM, Theresa Rowe wrote:
We've recently looked at a product that does use the phone to send a separate code:  Telesign (telesign.com).  Any comments from a current user out there?

Theresa

Message from r-safian@northwestern.edu

What happens when an account is compromised?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 8:57 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

We're not using Telesign, but it reminds me of a system we use here for authentication during telephone calls.  When someone calls us and we need proof that the person is who he says he is (like wants to talk about confidential matters), we ask him to go to a certain Web page, login there, then read the one-time-use generated token.  The telephone operator then enters this on a different Web page, and it indicates which netID generated that token.  It's much more secure than asking a bunch of questions, and hoping that only the correct person can answer those questions correctly.

On 2/14/2012 8:41 AM, Theresa Rowe wrote:

We've recently looked at a product that does use the phone to send a separate code:  Telesign (telesign.com).  Any comments from a current user out there?

Theresa

We're currently using question/answer pairs but we're implementing a new system that can support out of band email and cellphone confirmation if we choose to enable it. Lots of policy and procedure discussions remain though. We've also been talking about various fall-back scenarios when questions, cellphones, tokens, and other self-service means fail. In the non-cyber world, we identify people by looking at their faces and identity cards. In the age of the internet and widespread webcams on almost every device, why not have a person wanting to prove their identity call the helpdesk while in front of a web cam. The helpdesk would have access to a database of peoples' pictures. The helpdesk would ask the individual to hold up their ID in front of the camera. A 'wiggle two fingers' or similar request could confirm a live image. The ID couldn't be verified as closely for tampering but I'd think the process would still be more accurate than question/answer pairs. It puts some responsibility on the helpdesk staff but they'd be doing more or less the same thing if the person was at the desk in person. Thoughts? -- Gary Flynn Security Engineer James Madison University
Message from r-safian@northwestern.edu

> In the age of the internet and widespread webcams on almost every > device, why not have a person wanting to prove their identity call the > helpdesk while in front of a web cam. The helpdesk would have > access to a database of peoples' pictures. The helpdesk would ask the > individual to hold up their ID in front of the camera. A 'wiggle two > fingers' or similar request could confirm a live image. I'm not sure we're there yet. Especially if the person is not local. Imagine trying to do this at a hotel kiosk machine, where you are trying to check your email. OTOH, having it as an option seems like a reasonable idea.
We've moved away from secret questions. Google "secret question entropy" to get an idea why secret questions are falling out of favor. Our remote password recovery options are:

1. Never - the user can opt to not use remote password recovery. Yes, this means they have to show up in person. Some people like that.
2. SMS text - one time code sent to a pre-registered cell phone.
3. Voice - one time code sent to pre-registered phone.
4. Gmail - reset your password by logging into your Gmail account.
5. Yahoo - reset your password by logging into your Yahoo account.

The user can opt to get an email sent to an (separate) email address when their password is reset.

-Randy Marchany
VA Tech IT Security Office & Lab

Are you using a specific product or suite to do this? Or is this all homegrown? Have you put your whole process down on paper yet?.....(something we're struggling with - and anxious to see what others have done....and documented....) Thanks, Michael
We have a home grown system we were going to rewrite and then found that Oracle's OAAM product had a lot of the features we specified in the new design proposal in addition to giving us a way to deploy wide-spread enhanced authentication and risk based access control options so we're using that. We're early in the requirements validation and design phase so I don't have any documents for you. You can see the original design proposal we were using when contemplating a rewrite of the current system at: www.jmu.edu/computing/security/info/accountmgmt.ppt SCHALIP, MICHAEL wrote: > Are you using a specific product or suite to do this? Or is this all homegrown? Have you put your whole process down on paper yet?.....(something we're struggling with - and anxious to see what others have done....and documented....) > > Thanks, > > Michael > >
I'm not sure what the real question is here.  If the account is compromised and the villain changed the password so the account owner cannot log in, then we may lock the account if we think it's really been compromised, but require the owner to come in to get a new password (or if the owner had already set up a backup e-mail, then the person can reset the password by using a link sent to that backup e-mail account).

On 2/14/2012 8:58 AM, Roger A Safian wrote:

What happens when an account is compromised?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 8:57 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

We're not using Telesign, but it reminds me of a system we use here for authentication during telephone calls.  When someone calls us and we need proof that the person is who he says he is (like wants to talk about confidential matters), we ask him to go to a certain Web page, login there, then read the one-time-use generated token.  The telephone operator then enters this on a different Web page, and it indicates which netID generated that token.  It's much more secure than asking a bunch of questions, and hoping that only the correct person can answer those questions correctly.

On 2/14/2012 8:41 AM, Theresa Rowe wrote:

We've recently looked at a product that does use the phone to send a separate code:  Telesign (telesign.com).  Any comments from a current user out there?

Theresa

Message from r-safian@northwestern.edu

I was trying to figure out what happens when an account is compromised and the villain has NOT changed the password.  (phishing)  How do you know who is the account owner of more than one person knows the password?  It sounds like the answer is you make come in.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 1:58 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

I'm not sure what the real question is here.  If the account is compromised and the villain changed the password so the account owner cannot log in, then we may lock the account if we think it's really been compromised, but require the owner to come in to get a new password (or if the owner had already set up a backup e-mail, then the person can reset the password by using a link sent to that backup e-mail account).

On 2/14/2012 8:58 AM, Roger A Safian wrote:

What happens when an account is compromised?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 8:57 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

We're not using Telesign, but it reminds me of a system we use here for authentication during telephone calls.  When someone calls us and we need proof that the person is who he says he is (like wants to talk about confidential matters), we ask him to go to a certain Web page, login there, then read the one-time-use generated token.  The telephone operator then enters this on a different Web page, and it indicates which netID generated that token.  It's much more secure than asking a bunch of questions, and hoping that only the correct person can answer those questions correctly.

On 2/14/2012 8:41 AM, Theresa Rowe wrote:

We've recently looked at a product that does use the phone to send a separate code:  Telesign (telesign.com).  Any comments from a current user out there?

Theresa

If the villain has not changed the password, then how do we know the account has been compromised?  If the account owner thinks the account has been compromised, but the old password still works, then we suggest that he change the password (with the usual change password facility), and then we try to figure out who the villain is and what he did.

On 2/14/2012 2:18 PM, Roger A Safian wrote:

I was trying to figure out what happens when an account is compromised and the villain has NOT changed the password.  (phishing)  How do you know who is the account owner of more than one person knows the password?  It sounds like the answer is you make come in.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 1:58 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

I'm not sure what the real question is here.  If the account is compromised and the villain changed the password so the account owner cannot log in, then we may lock the account if we think it's really been compromised, but require the owner to come in to get a new password (or if the owner had already set up a backup e-mail, then the person can reset the password by using a link sent to that backup e-mail account).

On 2/14/2012 8:58 AM, Roger A Safian wrote:

What happens when an account is compromised?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 8:57 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

We're not using Telesign, but it reminds me of a system we use here for authentication during telephone calls.  When someone calls us and we need proof that the person is who he says he is (like wants to talk about confidential matters), we ask him to go to a certain Web page, login there, then read the one-time-use generated token.  The telephone operator then enters this on a different Web page, and it indicates which netID generated that token.  It's much more secure than asking a bunch of questions, and hoping that only the correct person can answer those questions correctly.

On 2/14/2012 8:41 AM, Theresa Rowe wrote:

We've recently looked at a product that does use the phone to send a separate code:  Telesign (telesign.com).  Any comments from a current user out there?

Theresa

Phishing has tell-tale signs. Massive amounts of outbound emails from the compromised email address. Sent folder has hundreds of sent emails not generated by the actual user. User will receive NDR spam and that is enough of an annoyance to let the user know something is wrong. I am not sure what you may have within your institution to possibly alert questionable events but we do receive reports.

 

Holding a user accountable for responding to a Phishing site is another matter…

 

Thanks!

abby

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 2:36 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

If the villain has not changed the password, then how do we know the account has been compromised?  If the account owner thinks the account has been compromised, but the old password still works, then we suggest that he change the password (with the usual change password facility), and then we try to figure out who the villain is and what he did.

On 2/14/2012 2:18 PM, Roger A Safian wrote:

I was trying to figure out what happens when an account is compromised and the villain has NOT changed the password.  (phishing)  How do you know who is the account owner of more than one person knows the password?  It sounds like the answer is you make come in.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 1:58 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

I'm not sure what the real question is here.  If the account is compromised and the villain changed the password so the account owner cannot log in, then we may lock the account if we think it's really been compromised, but require the owner to come in to get a new password (or if the owner had already set up a backup e-mail, then the person can reset the password by using a link sent to that backup e-mail account).

On 2/14/2012 8:58 AM, Roger A Safian wrote:

What happens when an account is compromised?

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, February 14, 2012 8:57 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

We're not using Telesign, but it reminds me of a system we use here for authentication during telephone calls.  When someone calls us and we need proof that the person is who he says he is (like wants to talk about confidential matters), we ask him to go to a certain Web page, login there, then read the one-time-use generated token.  The telephone operator then enters this on a different Web page, and it indicates which netID generated that token.  It's much more secure than asking a bunch of questions, and hoping that only the correct person can answer those questions correctly.

On 2/14/2012 8:41 AM, Theresa Rowe wrote:

We've recently looked at a product that does use the phone to send a separate code:  Telesign (telesign.com).  Any comments from a current user out there?

Theresa

Which Oracle OAAM product I wonder? We are currently attempting to implement Oracles latest (sorry I don't have the version number) self service offering the Oracle Identity Manager. It does not even come close to achieving what Oracle claims. The configuration options are very limited and the interface is poorly written. Things like questions and answers do not even line up on screen. For instance we configured the product to get users to answer 6 questions with the idea that they would be offered 3 during a reset. Earlier versions did this but the current version offers all 6 to users. We have been constantly finding major bugs in the product. We had to compromise on so many of our password management requirements that when we finally got to test the final offering, our office recommended that we did not proceed with the role out of the self service component. I understand that the deployment team is reasonably happy with the back end components. My current thoughts are to implement another password reset product and tie that into Oracle's OIM. Has anyone done this or have any recommendation for self service products? As far as questions go we utilised a student intern to come up with a set of questions that would be relevant to younger people. As part of that we test drove them to see if users could remember the answers by getting them to re-answer the questions a couple of months later. This resulted in some questions getting rewritten or dropped. Mark On 15/02/2012 5:29 a.m., Gary Flynn wrote: > We have a home grown system we were going to rewrite and then > found that Oracle's OAAM product had a lot of the features > we specified in the new design proposal in addition to giving > us a way to deploy wide-spread enhanced authentication and > risk based access control options so we're using that. We're early > in the requirements validation and design phase so I don't have > any documents for you. > > You can see the original design proposal we were using when > contemplating a rewrite of the current system at: > > www.jmu.edu/computing/security/info/accountmgmt.ppt > > > > SCHALIP, MICHAEL wrote: >> Are you using a specific product or suite to do this? Or is this all >> homegrown? Have you put your whole process down on paper >> yet?.....(something we're struggling with - and anxious to see what >> others have done....and documented....) >> >> Thanks, >> >> Michael >> >>
Message from chris@eng.gla.ac.uk

On Tue, 14 Feb 2012, Kevin Shalla wrote: | If the account is compromised and the villain changed the password so | the account owner cannot log in, then we may lock the account if we | think it's really been compromised, but require the owner to come in to | get a new password Right. | (or if the owner had already set up a backup e-mail, then the person can | reset the password by using a link sent to that backup e-mail account). How do you know the hacker hasn't changed the backup email address to one they control ?? It seems to me the "password reset link sent to backup email" plan is fine if the user forgets their password, but perhaps should not be allowed if the account is locked due to being compromised. Here, the user needs to come in, or at least, re-authenticate themselves in some way the hacker cannot tamper with. Chris -- Chris Edwards IT Security, Computing Service University of Glasgow, charity number SC004401
Message from chris@eng.gla.ac.uk

On Tue, 14 Feb 2012, randy marchany wrote: | 1. Never - the user can opt to not use remote password recovery. Yes, | this means they have to show up in person. Some people like that. | 2. SMS text - one time code sent to a pre-registered cell phone. | 3. Voice - one time code sent to pre-registered phone. | 4. Gmail - reset your password by logging into your Gmail account. | 5. Yahoo - reset your password by logging into your Yahoo account. So what if the user's personal Gmail account has been compromised ? (it's a personal account, so reasonable to assume it might be less well protected than the Uni email - e.g log into personal email from insecure locations) A hacker who knows the Gmail password can easily get straight into the Uni account, via the password reset system. | The user can opt to get an email sent to an (separate) email address when | their password is reset. I guess this helps, to some degree. Or if sufficiently paranoid, they choose option (1) password recovery disabled. -- Chris Edwards IT Security, Computing Service University of Glasgow, charity number SC004401

Others in the thread have shared most of the issues with security questions so I won’t rehash what they’ve written. For those who are unable to come to one of our campuses, we have contingency options, but we’ve decide not to advertise those. One is for someone in the user’s chain of command (or an appropriate administrator for a student) to verify the user’s identity via the phone and provide that person a code which they’ll give to the user to reset their password. Identity verification via webcam is something we’ve discussed and will likely explore further down the road.

 

--

Steve Werby

Information Security Officer

Office of Information Security (OIS)

The University of Texas at San Antonio

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Theresa Rowe
Sent: Tuesday, February 14, 2012 8:00 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Self-service password reset approaches

 

We are looking at these processes, too.  I am surprised to read Steve's response about phasing out security questions and answers.  We just implemented this in 2011 and it has been very helpful.  With multiple campuses and online learning, we can't expect our constituents to visit campus.  We accept a faxed photo identity, along with other security information, and will call back with IDs and a pin reset that is forced on first login.

Account claiming - specifically providing the student ID number - is our biggest challenge.  How are you folks handling that?  We used to have a discovery web site, but we were told it wasn't FERPA compliant to display student ID like that.  Then we switched the site to email the ID, but that didn't work because the individual didn't have access to email if they hadn't set it up, and they needed the ID to set it up (catch-22).

Appreciate the discussion -
Theresa

Is anyone using Acxiom (or a similar service) to perform identity verification and authentication?  This could probably be used for self-service password reset as well.  Ie. send a one-time link to a person via email and then they have to answer 4 out of 5 questions correct in order to verify who they are to change their password.

 

http://www.acxiom.com/Identity-Solutions/Verification-and-Authentication/

 

If so, I’d be interested in hearing how it works for you.

 

Thanks.

Jason Youngquist, CISSP

Information Technology Security Engineer

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO  65216

(573) 875-7334

jryoungquist@ccis.edu

http://www.ccis.edu

 

Mark Borrie wrote: > Which Oracle OAAM product I wonder? We are currently attempting to > implement Oracles latest (sorry I don't have the version number) self > service offering the Oracle Identity Manager. It does not even come > close to achieving what Oracle claims. OIM is their provisioning product. OIM has been used in our provisioning process for a number of years. We chose not to use its self-service functionality and depend upon a custom portal for that. OAM is their access control product, mostly for web applications. Agents on protected web resources redirect requests to the OAM server where the identity and requested URL and other parameters (e.g. IP address) is compared to policy and access granted accordingly; perhaps requiring things like 2-factor or certificate based authentication. This offers a central place for integrating such things. We will be implementing that along with OAAM. OAAM is their "adaptive security" and risk product. Using it, a login or self-service portal can make calls to check for and initiate required authentication types based on configured policy (e.g. person X logging in from location Y on device Z attempting to perform transaction A needs OOB cellphone OTP and visual keyboard for password entry). OAAM was purchased as it provides functionality we didn't want to write in our accounts portal replacement project and adds the potential for offering enhanced authentication options to a wide audience and advanced risk based authorization decisions. The product set that makes up their identity management related options are quite confusing. Oracle purchased all the products from different companies and they have some functionality overlap. For example, all three have some form of provisioning or enrollment capabilities. All three have some form of self-service capabilities though none met our desires out of the box. Ergo, we're developing custom login and self-service portals as the front end to OAM/OAAM/OIM. In addition to OIM, OAM, and OAAM, the identity management set of products also includes OID, OVD, OUD, OIF, and OESSO. OMG :) > > The configuration options are very limited and the interface is poorly > written. Things like questions and answers do not even line up on > screen. For instance we configured the product to get users to answer > 6 questions with the idea that they would be offered 3 during a reset. > Earlier versions did this but the current version offers all 6 to > users. We have been constantly finding major bugs in the product. > > We had to compromise on so many of our password management > requirements that when we finally got to test the final offering, our > office recommended that we did not proceed with the role out of the > self service component. I understand that the deployment team is > reasonably happy with the back end components. > > My current thoughts are to implement another password reset product > and tie that into Oracle's OIM. Has anyone done this or have any > recommendation for self service products? > > As far as questions go we utilised a student intern to come up with a > set of questions that would be relevant to younger people. As part of > that we test drove them to see if users could remember the answers by > getting them to re-answer the questions a couple of months later. This > resulted in some questions getting rewritten or dropped. > > Mark > > On 15/02/2012 5:29 a.m., Gary Flynn wrote: >> We have a home grown system we were going to rewrite and then >> found that Oracle's OAAM product had a lot of the features >> we specified in the new design proposal in addition to giving >> us a way to deploy wide-spread enhanced authentication and >> risk based access control options so we're using that. We're early >> in the requirements validation and design phase so I don't have >> any documents for you. >> >> You can see the original design proposal we were using when >> contemplating a rewrite of the current system at: >> >> www.jmu.edu/computing/security/info/accountmgmt.ppt >> >> >> >> SCHALIP, MICHAEL wrote: >>> Are you using a specific product or suite to do this? Or is this >>> all homegrown? Have you put your whole process down on paper >>> yet?.....(something we're struggling with - and anxious to see what >>> others have done....and documented....) >>> >>> Thanks, >>> >>> Michael >>> >>>
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.