Jim Beard, University of Oregon

Lightning Talk on Password Reset

at Access Management CAMP in Philadelphia June 15, 2009

University of Oregon deployed Sun IdM in 2007.
Has 45,000 active account.  IdM information is stored in LDAP.

Account password resets became more challenging after the implementation of Sun IdM.

Things were able to get away with things before

Previously, there was a central account clerk in charge of password resets.

Users who had lost their password, and could not retrieve or reset it through automatic methods, used to call the account clerk and she could take care of things over the phone.
But with the new IdM system, policies were put in place, and users could not longer just get their password reset set over phone.

There was a new requirement to walk into the accounts clerk office to get a password reset.

There were complaints from folks located on the other side of campus from the account clerk. They don't want to come in.

And  univ opened up a new location 40+ miles away. Always had researchers abroad.
Registration in Hawaii
In past. Fax or Phone call
Used credentialing agents on campus.

Very decentralized. Trying to improve

Bring IT professionals in from on campus that are not part of Central ID. Let them reset passwords.

Worked w someone a new Portland campus.

System is auditable.
We know who is doing the resets.

Can track down

Had to think about level of trust.

Flat structure. If you can change one person's pwd you can change everyone's pwd.

Couldn't give you access to just one dept.

Some of the challenges ---rolled out 4 months ago --- on campus credentialing agent is dean of ? for a different school.

That person is busy and helps students and is not always there for this purpose.

Portland branch person is an IT person set to be there.

Q: We have a similar situation.

people not showing up in person. A workaround we have is users call in and share their ID number on back of card. That is good enough for pwd preset.

A: our account clerk can access confidential info.  But students lose cards a lot. Might pick up someone else's card.
Brining in more services, so pwd
Long name:

they still go in and do the new pwd

A: peple needing resets don't know answers to the security questions

Carmody: emerging InCommon bronze and silver frameworks are quite relevant.

If you have researchers who will access NSF or NIH sites, you will need to assert that their credentials are at bronze or silver level.

Any student filling out that form is going to have to be at silver. You aren't going to want to tag in LDAP that this one gets financial aid and that one doesn't

Easy to get to silver level when it's a pwd issue.

But pwd reset is the thorny issue.

Does silver allow for anything other than in person vetting on a reset?

Yes

Must have photo ID

And also must have one or two bank acct numbers that can be proved
Used to have wonderful stations where you can sign in.

So we are extending beyond that.
Looking at 4 or 5 levels of assurance