The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

Software Availability

The password reset application described below will be moved to production the week of November 19, 2012.

Password Reset for Site Administrators

Unknown macro: {div}

Reset My Login Password now!
(or watch a flash video demo)

InCommon Operations supports automated two-factor password reset for site administrators. The first factor involves an email account (“something you know”) while the second factor involves a phone (“something you have”). Watch a video demo of two-factor password reset in action.

In the future, InCommon will also require two-factor authentication on your login account itself. Together, two-factor authentication and two-factor password reset make it very difficult for a bad guy to gain control of your login credentials.

Two-factor password reset and two-factor authentication are being deployed in phases. Two-factor password reset is available now. Two-factor authentication will be available early in 2013.

When you initially registered as a site administrator, InCommon Operations verified your email address and your phone number, both of which were obtained from your Executive when your organization joined InCommon. This information is used for the purposes of two-factor password reset. It is all you need to reset your password.

If your verified email address or verified phone number changes, talk to your Executive. Only your InCommon Executive may change your contact information.

To reset your login password, sit at your verified phone location and follow these steps:

  1. To begin the password reset process, click this link: https://service1.internet2.edu/siteadmin/password_reset
  2. Enter your verified email address at the prompt.
  3. The system sends a custom link via an email message to your verified email address.
  4. Click the link in the email message to launch a secure landing page in a browser window.
  5. The system sends a five-digit PIN via an automated phone call to your verified phone number.
  6. Enter the PIN on the web page to authorize a password reset.
  7. If the password reset attempt is successful, you will receive an email notification.

Please report any problems or make suggestions for improvement by contacting admin at incommon dot org

How It Works

The process of clicking a link in an email message is actually a type of federated login. Specifically, we implement a protocol called Simple Authentication for the Web [1] or SAW. You have probably used a form of SAW to reset a password at one time or another. It is the most common method of password reset in existence today. By itself, however, SAW is only as strong as the email account it depends on.

The Duo Verify API is used to generate the one-time password (OTP) sent to your phone. The system sends an OTP in a recorded voice message. (Duo Verify also has the ability to send an OTP via SMS to a mobile phone but the password reset app doesn't support that yet.)

Used together, SAW and Duo Verify provide strong password reset capabilities.

Password Policy

Currently, every site administrator is issued a strong password for authentication purposes. If you forget or lose your login password, you can reset it yourself using the above automated process. If you are unable to reset your password for any reason, please contact us at admin at incommon dot org.

The level of assurance associated with your email password is unknown and so we have the following policy regarding your login password:

InCommon Operations Password Policy

  • Your login password SHOULD be different than your email password.

Phone Policy

Your verified phone number should not correspond to a mobile phone since mobile phones can be lost or stolen. In particular, if your verified phone number corresponds to a smartphone with email capability, and that phone is lost or stolen, a bad guy potentially has everything s/he needs to reset your login password. For this reason, we have the following policy:

InCommon Operations Phone Policy

  • It is strongly RECOMMENDED that your verified phone number correspond to an office phone with limited physical access and with no email capabilities.
  • Your verified phone number SHOULD NOT be associated with a mobile device, especially one with email capabilities.
  • If your verified phone is associated with a mobile device with email capability (which is NOT RECOMMENDED), access to the mobile device MUST be locked with a passcode.

Once we roll out two-factor authentication on your login account itself, you will be asked to provide a separate phone number for authentication purposes, preferably a smartphone number. In any case, for security purposes, the phone number used for two-factor authentication on your login account should not be the same as your verified phone number. This is yet another reason why your verified phone number should not correspond to a mobile phone.

To change your verified phone number, talk to your Executive. Only your InCommon Executive may change your contact information.

References

[1] T. W. van der Horst and K. E. Seamons, “Simple Authentication for the Web,” in Intl. Conf. on Security and Privacy in Communications Networks, 2007, pp. 473--482. http://www.ucrec.org/pubs/upload/836_van%20der%20Horst2008.pdf

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels