unisog

We have developed an in-house system that requires a person to answer
pre-defined security questions, and have access to a secondary email account
or a mobile phone capable of receiving SMS.  This provides two factor
authentication before a user is allowed to reset their password.  This
process replaces an old one involving needing an ID card and the password
being set with last 4 of ssn.

What we are working on now, is changing the processes so that accounts are
created with a random password and set to disabled until the user logs on
with a one time password (that is given in person, or sent via USPS) and
configures his/her security questions and alternate contact info.


On 6/5/09 1:34 PM, "randy marchany" <[EMAIL PROTECTED]> wrote:

> Sorry to bother everyone as I know you have busy schedules.  I¹m
> trying to do some checking on password resets.  Specifically, if a
> user forgets their password, do you allow them to answer secret
> questions and set a new password online?  Do you have specific
> procedures, policy, etc. on what occurs if a user (faculty, staff,
> student) forgets their password? If so, where can we find them online?
> Thanks.
> 
> Randy Marchany
> [EMAIL PROTECTED]
> 
> _______________________________________________
> unisog mailing list
> [EMAIL PROTECTED]
> https://lists.sans.org/mailman/listinfo/unisog

sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0


_______________________________________________
unisog mailing list
[EMAIL PROTECTED]
https://lists.sans.org/mailman/listinfo/unisog