Solution A

Assumptions

This solution assumes that we can easily gain access to IFAS data for authentication of identifiers.

Steps

1. User selects "I forgot my password" link on udeupa login page.
2. User prompted for for UID (Username), ApuIdNumber, and last four digits of social security number.
3. Verify submitted data against LDAP and IFAS.
4. If passes verification, user may reset password in accordance with the password strength policy.

Questions

1. Should password be reset to random string, or should user be able to reset to new password of their choosing?
2. Does asking for Social Security Number violate FERPA? (skohrman looking into this).