When APU was to deploy our first LDAP directory service, we were looking at running both OpenLDAP and Netscape/iPlanet Directory Server. The sole reason we were going to purchase the iPlanet directory server was because it had a password synchronization mechanism with NT 4. It was a major goal to have a single username and password for all major services running on windows and unix. However, when implementation time came around, we had moved to Windows 2000, which the iPlanet directory did not yet support sychronization with.

Much time has passed...

The Architecture Working Group has arrived at a Password Reset Recommendation.

The [Password Reset Project] will now go back to the Project Management Office, where an implementation team will be established, upon approval from the IMT Cabinet.

There should be enough information to carry out the project in a short timeframe. Some details will be refined during implementation, including an expanded list of security challenge questions to preset to the user. Thanks to all AWG members who contributed their time and clear thinking toward this Self-Service goal. I am sure your feedback will be appreciated as the project moves forward.

Overview

In order to provide self-service, and to reduce the volume of support calls to reset forgotted passwords, the Architecture Working Group recommends the following new Password Reset Policy.

Password Reset Steps

1. User selects "I forgot my password" link on udeupa login page.
2. User prompted for for:
• UID (Username)
• APU ID Number
• Last 4 Digits of SSN
• Correct answer to 2 Challenge Questions*
3. Submitted data is verified against LDAP and IFAS Database
4. If verification succeeds, user may reset password in accordance with the password strength policy.
5. If verification fails, the user is told "one or more of your responses were incorrect", please try again.
6. After X number of failed attempts the password reset mechanism is disabled for that account, and information is logged.

Challenge Question Initiation

This process change assumes that we re-engineer the challenge question mechanism. Current free-form nature of the challenge question and answer, limits automation. Instead user would need to re-establish answers to a set of fixed challenge questions. This would need to be updated in the registration process. Already registered users will need to be force-prompted to establish answers to the questions one time upon entrance to udeupa. When prompted for a challenge question response, user will be presented with their pre-established questions.

* The user will be able to choose a minimum of two challenge questions, but can optionally choose additional for greater security. All questions chosen will be presented to the user when reseting the password, along with Username, APU ID Number, and last 4 digits of SSN.

Sample Challenge Questions

• What city was I born in?
• What is my mother's maiden name?
• What was my favorite stuffed animal's name?
• What was my favorite elementary school teacher's last name?
• What was my first pet's name?

For further considerations, best practices, and details to be implemented with this new policy, see Security Concepts and the Appendix.

Background

Everyone seems to agree that challenge questions provide an small increased level of security over simply asking for known identity information as in [Solution A]. It provides a bit of randomness that would otherwise be missing if we only asked for udeupa username, ApuIdNumber, and partial social security number. The only problem is that some questions which promote more random answers, will be more difficult to verify, and will be harder for users to remember. In other words, we don't want to ask really simple questions, but we also don't want to ask a question that can be answered in a thousand different ways.

If the goal is to reduce the overhead and inconvenience of password resets through the support desk, by providing an easy to use self-service tool, then challenge questions could present a some problems. The key will be to decide which questions to ask, and the method of verification. It may become burdonsome as well to ask too many questions. Remember if the user doesn't remember any of their answers they will be calling the support desk.

With these considerations in mind, it can be understood why questions such as "mother's maiden name" are so widely used. Its something you won't forget. Its something that is a single word and spelled the same way every time. These things help verification. This is not a promotion of this question, but rather an example of the attributes that probably make it a good challenge question, if viewing it from more than just a security perspective.

Remember we aren't shooting for the ultimate solution, if we were we wouldn't be using passwords at all.

Logic Related Questions

1. How many challenge questions should be presented to the user for answer creation?
2. Can the user select which questions to answer? (See [Password Reset Best Practices])
3. How many questions are presented to the user for verification?
4. If not all questions are presented, is the subset random?
5. What percentage of questions does the user have to get correct?

Please attempt to answer these questions, and provide suggested (even if duplicated) Challenge Questions below.

One of the things that came up in our discussion was whether or not email based resets are appropriate in our environment. Many sites will generate a temporary hash with a short expire, sometimes after passing a security check (challenge question, etc.), and email that to an address already on file. Arguably, this is an added level of security because the attacker would have also had to compromise the email account as well.

However, our environment is a bit more complex.

• As we provide email to our users, the password reset email wouldn't do them any good on that account since it uses the same password.
• If the person forwards to an external site, it could perhaps still work. But would that cause security concerns for us to send to a untrusted 3rd party email system? Is the short expire on the hash good enough here?
• In theory, we could check to see if they had a forward, before giving them an option to send an email to reset.

Unless the following statements are true, the email password reset would serve no purpose:

1. Email Password Reset is sufficient enough security, and no additional authentication (identifiers or shared secrets) are required.
2. Proposed [Simple Solution A] or [Simple Solution B] are not sufficient to allow an immediate reset.

I would argue that both of the above statements are false.

Statement #1

A reset password hash with a short expire is sufficient and convenient for most simple web sites, but 3rd party email accounts should not be trusted for this security context.

Statement #2

Since Proposed solutions A & B, which prompt for secrets which are within our control, are stronger than the untrusted authentication mechanisms of remote email systems, there is no reason to send the users through an additional hoop. It increases the convenience to our users to allow them to immediately reset their password after passing our authentication prompts. There is no reason to send them to an email system, where they receive a http link, that is only going to send them right back to our site.

Summary

Finally, implementing a solution that will not work for all users (not all users forward email), is an unnecessary complication in our quest to produce a simple solution, and in the end would probably confuse users without providing increased security. Even if you believed that the email hash would increase security, since you would have to allow for non email password resets, you have just allowed a weaker form and negated the benefits of the "stronger" form.

Historical Discussion of Possible Password Reset Solutions.

I have a few general comments regarding both solutions. I like that Solution A is pulling data from both IFAS and OpenLDAP. Unfortunately if you found a persons ID card and went on line and paid $20 for their SSN or just pulled it from IFAS you could reset their password. I like that Solution B includes a re-engineered challenge question because this would be the toughtest of all of the data to gather on the person, if the challenge questions are strong enough. I don't like that all of the data can be pulled from one system. My recommendation is a combination of the two solutions. I think we should add last four of SSN to Solution A.

Also, I think we need to add some protection against script attacks. Possibly the random JPEG word entry that ticketmaster.com uses?

-- Darren Flynt

Higher Education

Internet2

Internet2 Middleware Initiative's MACE Directory Working Group produced Identifiers, Authentication, and Directories: Best Practices for Higher Education.

Some Highlights from the Authentication section

Use shared secrets or a positive photo ID to reset forgotten passwords.

Shared secrets are pieces of information that users provide when getting their initial passwords. The traditional shared secret is the user's mother's maiden name. Another approach is to have the user provide several pieces of information when first given a password, and then to require the user to provide some subset of this information (say, two items out of five) in order to change the password. Question-and-answer pairs also make good shared secrets.

Non CCCU Universities

Self Service Reset

• Saginaw Valley State University - Successful usage of this screen requires the student to know their Login ID, the last four digits of their Social Security Number, the last seven digits of their Student ID (identified on "TheCard" as id #), and their date of birth.
• The University of North Carolina at Greensboro offers a Self Service Password Reset, only asking for University ID, username, first, last, and birthdate.
• The University of Tennessee has an interesting default password standard which includes some private info. If a password is forgotten it can be reset in some cases back to the default, or web forms are available which ask for University ID and a University Pin. Note, the password reset page is not ssl enabled.
• University of Denver offers a Security Question for password resets.

Assisted Reset

• Georgetown has a nice print and fax form as the only method for reset.
• University of Tulsa requires physical presence with id.
• University of Pittsburg requires < href="http://technology.pitt.edu/accounts/">physical presence with id.

Industry

Information Security Mag

An article Password Pain Relief in Information Security Mag, though a bit dated, discusses how several commercial Identity Management products help to establish self-service password resets.

Password-related help desk calls may cost as much as $30 a call, according to a Meta Group study.

PasswordCourier is typical of self-service reset products in enforcing an organization's strong password requirements while obligating the user to authenticate by answering customized challenge questions.

Password reset software generally lets users reset and change passwords from a browser, Windows client or telephone.

In addition to supporting authentication tools, such as tokens and biometrics-either out of the box or through an SDK-self-service reset solutions typically authenticate users through a series of challenge-response questions. These should be questions only the user is likely to answer correctly, such as the name of a childhood pet.

To ensure that challenge questions provide strong user authentication-especially if the questions are the only authentication to the reset tool-reset solutions typically allow admins to define the number and type of questions that must be answered.

Sun One Identity Management

The Sun One Identity Management Administrator Guide explains the Password Reset Service. The service uses challenge questions to authenticate users who have forgotten their password. The only intresting implementation was that the user can select which of the challenge questions to answer when setting them up the first time. This perhaps is an effective way of preventing bad answers, such as "I don't know" etc. Also, there is a feature that can be enabled to write the question as well as the answer. Lastly, they implement good security measures such as lockout.

Sample Questions listed are:

What is your pet’s name?
What is your favorite TV show?
What is your mother’s maiden name?
What is your favorite restaurant?

Previous Policies and Other Background information.