Password Reset Recommendation
Overview
In order to provide self-service, and to reduce the volume of support calls to reset forgotted passwords, the Architecture Working Group recommends the following new Password Reset Policy.
Password Reset Steps
- User selects "I forgot my password" link on udeupa login page.
- User prompted for for:
- UID (Username)
- APU ID Number
- Last 4 Digits of SSN
- Correct answer to 2 Challenge Questions*
- Submitted data is verified against LDAP and IFAS Database
- If verification succeeds, user may reset password in accordance with the password strength policy.
- If verification fails, the user is told "one or more of your responses were incorrect", please try again.
- After X number of failed attempts the password reset mechanism is disabled for that account, and information is logged.
Challenge Question Initiation
This process change assumes that we re-engineer the challenge question mechanism. Current free-form nature of the challenge question and answer, limits automation. Instead user would need to re-establish answers to a set of fixed challenge questions. This would need to be updated in the registration process. Already registered users will need to be force-prompted to establish answers to the questions one time upon entrance to udeupa. When prompted for a challenge question response, user will be presented with their pre-established questions.
* The user will be able to choose a minimum of two challenge questions, but can optionally choose additional for greater security. All questions chosen will be presented to the user when reseting the password, along with Username, APU ID Number, and last 4 digits of SSN.
Sample Challenge Questions
- What city was I born in?
- What is my mother's maiden name?
- What was my favorite stuffed animal's name?
- What was my favorite elementary school teacher's last name?
- What was my first pet's name?
For further considerations, best practices, and details to be implemented with this new policy, see Security Concepts and the Appendix.
