Change

advertisement
Draft – 10/28/2008 14:00PM
Problem Summary
 SSN must be removed as a basis for identity verification for:
 Account Activation
 Password Change
 Password Recovery
 SSN is currently the only near universal shared secret that
can be used for identity verification.
Challenges
 Remote identity verification by shared secret requires:
 Secret that is accessible and usable by both individual and us
 Secret that is known only to the individual and us
 Private communications channel to share the secret
 Most alternatives to SSN currently fail one or both of the
first two requirements.
 SSN almost always provides a reliable fallback of last resort.
 Alternative solutions require a compromise between
positive identification and convenience.
Proposed Solution Summary
 Primary Verification
 Secret Question/Answer ( SQA ) generates temporary password sent
through private communications channel ( PCC ) consisting of external email, cellmail, and/or cell SMS communications.
 Secondary or Fallback Verification
 PCC or SQA only








Helpdesk physical visit
Supervisor voice verification
Role based business/academic questions
Webcam visual identification (raise two fingers)
Voiceprint
Fax picture identity card
Postal mail
Non-positive identification
Secret Question/Answer ( SQA )
 The answers effectively form a password.
 A password that violates most best practices for
passwords:
 Dictionary presence
 Public, personal, or guessable information
 Complexity rules
 Password change and history rules
 Answers may not be any more memorable than a
password
Private Communications Channel
(PCC)
 To add assurance to the poor SQA password, additional
identity verification is carried out using a private
communication channel.
 The PCC requires an additional, university independent
user password and/or physical possession of an object.
 The “Private” in PCC is relative.
Private Communications Channel
(PCC)
 External E-mail ( e.g. gmail, live )
 Cellmail
 E-mail to cell#@network.org
 Requires collection and storage of network information. Recently stopped.
 Not sure if all networks provide this service but most do.
 SMS
 Blackboard Connect?
 Campus SMS Gateway?
 Outsourced SMS Gateway?
 Voice?

Blackboard Connect?
 Any cell option is well worth pursuing for benefits down the road in “twofactor” authentication and other uses. Inclusion in the solution at its outset is
strongly recommended.
Operational Overview
Accounts.university.edu Home
Page
 Activate account for new users
 Change password for existing users
 Recover from forgotten password
Use Case – Activate Account –
Primary Method
 Student or employee receives email or postal mail upon acceptance




with account name and URL: Accounts.university.edu/activate-step-1.
Person visits accounts.university.edu/activate-step-1 with browser.
Answers SQA ( filled in previously from student application or as yet
unknown new employee/affiliate process )
Temporary password sent via PCC on record from student application
or as yet unknown new employee/affiliate process. Contains URL
accounts.university.edu/activate-step-2
Accounts.university.edu/activate-step-2





Enters ID and temporary password
Chance to change SQA
Security Awareness
Change password
PCC information verification ( correction leads to SA or HR self service
pages )
Use Case –Change Password –
Primary Method
 Accounts.university.edu/change
 Login
 Chance to review SQA questions and change
 Security Awareness
 Change password
 PCC information verification ( correction leads to SA
or HR self service pages )
Use Case –Recover Password –
Primary Method




Accounts.university.edu/recover
Enter ID
SQA
Temporary password sent via PCC on record from student
application or as yet unknown new employee/affiliate process.
Contains URL accounts.university.edu/recover-step-2
 Accounts.university.edu/recover-step-2





Enters ID and temporary password
Chance to change SQA
Security Awareness
Change password
PCC information verification ( correction leads to SA or HR self
service )
Basic Tradeoffs – Primary
Methods
 More convenience
 Require only one of SQA or PCC
 Allow e-mail PCC
 More positive identification and security
 Require both SQA and PCC
 Require cell PCC
Tradeoffs – Recommendations
for Primary Methods
 At roll-out:
 On-campus request
 Allow recovery with either SQA or PCC ( e-mail or cell ) individually for all
parties
 Off-campus request:
 Allow recovery with e-mail or cell PCC by itself if student.
 Allow recovery with cell PCC by itself if employee.
 After stable:
 On-campus request
 Allow recovery with either SQA or PCC ( e-mail 0r cell ) individually if
requested on-campus by all parties.
 Off-campus request
 Require both SQA and PCC. Cell PCC for employees. Cell or email PCC for
students.
Operational Overview –
Fallback Verification
 Assumption: SQA and PCC unsuccessful/unavailable









PCC or SQA only
Helpdesk physical visit
Supervisor voice verification
Role based business/academic questions
Webcam visual identification (hold up two fingers)
Voiceprint
Fax picture identity card
Postal mail
Non-positive identification
Use Case – Activate Account –
Fallback Methods
 Postal mail to address of record with temporary
password
 Physical helpdesk visit for employees
 Emergency vouch for identity and unregistered PCC on
case by case basis
 Physical visit or academic questions for students
 Enrolled classes
 Grades
 Application information
Use Case – Recover Password –
Fallback Methods
 Physical helpdesk visit
 Supervisor voice verification
 Helpdesk call
 Supervisor physical helpdesk visit
 Role based business/academic questions
 Helpdesk call
 Forwarded to student/employee/affiliate business analyst
 Classes, grades, HR info, ???
 Postal Mail to Address on record
Basic Tradeoffs – Fallback
Methods
 More convenience
 Allow third party vouch
 More security
 Require positive identification by physical visit
Tradeoffs – Recommendations
for Fallback Methods
 Physical visit or supervisor vouch for employees or affiliates
 Physical visit or academic questions for students
 Enrolled classes
 Grades
 Residence hall
 Last resort (No physical access to university. No university vouch unavailable).
Consideration must be given to sensitivity of account.
 Postal mail to address on record.
 Trust in third party vouch ( e.g. distance learning physical ID check,
validated remote higher ed personnel physical ID check )
 Webcam visual identification (raise two fingers)
 Fax picture identity card
Physical Helpdesk Visit
 Dedicated, locked down machine(s)
 Helpdesk checks ID
 Helpdesk logs into computer and enters user’s ID
 User goes through standard account activation
process:
 SQA set
 Security Awareness
 Change password
 Verify PCC information ( change leads to SA or HR self
service pages )
Helpdesk Computers
 Computer Security Controls
 Screensaver timeout
 Session timeout
 Kiosk style configuration lockdown
 No ability to backtrack through screens
Supervisor Vouch
 Helpdesk receives call, claimed identity, supervisor name,
unregistered PCC.
 Helpdesk verifies supervisor and contact information.
Confirms with supervisor over phone by helpdesk initiated
call.
 Helpdesk logs in and initiates password recovery for claimed
identity and unregistered PCC or
 Supervisor must physically visit helpdesk and do same
 Portal sends temporary password through unregistered
PCC.
Architecture and
Implementation
 New functions
 New data
 Policy vs programming
 Futures
 Migration
 Costs
New Portal Functions
 Ask/Verify/Set SQA
 Verify email, cell phone, cell network. Redirect to SA or HR
self service pages for change.
 Generate temporary password
 Generate email/cellmail/SMS according to user preference
and policy
 Receive temp password
 SQA set
 Security Awareness
 Change password
 Verify email/SMS. Redirect to SA or HR self service pages for
change.
New LDAP Data
 Cell number ( from peoplesoft )
 Cell network ( from peoplesoft )
 External e-mail address ( from peoplesoft )
 PCC User Preference ( email/cellmail/SMS )
 SQA ( from collegenet/portal activation )
 Temporary password and expiration date ( generated by
portal )
 Random salt for default password ( generated by managedaccounts )
 Default Password - REDACTED ( generated by managedaccounts )
New Managed Accounts
Functions
 CollegeNet -> JCC ( SQA, email, cell, cell network )
 Random default password salt -> LDAP for new
accounts
 Default password -> LDAP for new accounts
 SQA, email, cell -> LDAP for new accounts
Data Storage and Flow - SQA
 User selects questions and provides answers
 Collegenet application ( new students )
 Hire process ( new employees )
 Affiliate process ( new affiliates )
 Portal ( existing population )
 SQA for new students, employees, and affiliates loaded
into LDAP
 LDAP becomes SOA
 All changes & administration done in portal
Data Storage and Flow - PCC
 User provides e-mail, cell#, cell network
 Collegenet application ( new students )
 Hire process ( new employees )
 Affiliate process ( new affiliates )
 Portal ( existing population )
 PCC data for new students, employees, and affiliates
loaded into LDAP
 Peoplesoft remains SOA
 Portal uses LDAP for look-ups
 Portal directs user to SA or HR self service pages for
changes
Data Storage and Flow –
Default PW
 Managed accounts generates random salt for new
accounts and stores in LDAP
 Managed accounts generates default password unique
to individual using reproducible algorithm making use
of random salt. Sets as password for new accounts.
 Accounts portal administrative console changes
password of “disabled” accounts to default password.
Data Storage and Flow – Temp
PW – PCC delivery
 Generated by portal on the fly
 Account activation
 User Password recovery
 Administrative recovery ( helpdesk, vouch, etc. )
 Random, fourteen character string made up of easily read characters (




e.g. no ‘o’s, ‘0’s, ‘1’s, or ‘l’s )
Good for twenty-four hours
Hashed, then stored in LDAP along with expiration date/time
Sent via PCC
Password accepted by portal in recovery/activation process part 2
 Hashed and compared to LDAP value
 Check expiration date
Data Storage and Flow – Temp
PW – Postal Delivery
 Generated by portal administrative interface
 Random, fourteen character string made up of easily read characters (






e.g. no ‘o’s, ‘0’s, ‘1’s, or ‘l’s )
Good for 10 days
Hashed, then stored in LDAP along with expiration date/time
Portal generates letter. Puts in queue.
Daily process prints generated letters. Need envelope stuffing and
mailing process.
Send via Postal Mail
Password accepted by portal in recovery/activation process part 2
 Hashed and compared to LDAP value
 Check expiration date
SQA Recommendations
 Provide user with list of eight questions from which they




must choose three to answer.
Opinion rather than truth questions to deter public
information attacks and avoid storing personal
information.
Remove case and white space from answers to ease
repeatability and parsing.
Require a minimum length (3?) answer for each question
Add additional identity verification using the PCC for
activation/recovery requests originating off-campus.
PCC Recommendations
 In some situations, the private communication
channel can be used as a fallback mechanism by
itself if SQA answers are forgotten or not available.
 LDAP stores PCC user preference but portal can
limit user choice and choose method of
transmission on the fly according to policy.
Policy Design
 It is strongly recommended that the following policies be
configurable, rather than hard coded, so they can be
changed to meet changing environmental and business
needs.
 Enable/Require SQA, PCC, or both for what population.
 Enable/Require email, cellmail, and/or SMS PCC for what
population
 Temporary password characteristics – length, expiration time
 Number of secret questions required
 Consideration should be given to storing configuration data in a
directory, not in the application.
Miscellaneous Design Issues
 Use of generic classes to allow for future expansion. For
example:
 ID-Verification (e.g. SQA, PKI-Certificate, RemotePictureID,
OpenID, RemoteShibboleth, SecureID, LaptopFingerprint, VoiceID)
 PCC (e.g. email, cellmail, SMS, WiFi, IM)
 LDAP Directory (e.g. eDirectory, OID, ActiveDirectory, OVD)
 Administrative functions should be moved off the home
page to decrease clutter and end user confusion. ( e.g.
accounts.university.edu/admin )
Administrative Functions
 Helpdesk ‘user present’ password recovery.
 Helpdesk ‘user not present’ password recovery (
sends temporary password to provided unregistered
PCC ).
 Helpdesk ‘disable account’ ( sets account password to
default and disables LDAP account )
Administrative Functions
 Account status query:
 Active
 Disabled
 Waiting for activation phase 1
 Waiting for activation phase 2 ( SQA answered, temp password send to PCC
( list )
 Awaiting recovery phase 2. ( SQA answered, temp password sent to PCC (
list )
 Logging
 SQA failed/answered from IP address
 Phase 2 activation/recovery failed/succeeded from IP address
 Change password failed/succeeded from IP address
 PCC send failed
Migration
 Current students, faculty, staff, affiliates, and graduates
 Collect SQA and PCC information during normal password change cycle
explaining the change online as well as through out of channel
communications.
 New Students
 Implement CollegeNet application process already discussed.
 New Employees
 Need to come up with point in business process where identity can be
verified and SQA/PCC information collected. ( I9 form fill out time?)
 New Affiliates
 Need to come up with point in business process where identity can
be verified and SQA/PCC information collected. Vendor vouch?
Cost Summary
 Extensive changes to accounts portal
 Business process re-engineering for account activation prerequisites in student
acceptance and employee hiring.
 Convenience and complexity impact on end user
 Increased frequency of fallback scenarios.
 Increased support complexity and sensitive user interaction required in
fallback scenarios.
 Increased outright failures of identity verification process in certain remote
situations requiring acceptance of risk associated with poor verification or
significant end user impact on accessibility.
 New LDAP attributes
 Changes to ID generation script
 Requires registration of external email and/or cell phone information for off-
campus account activation and password recovery
 Requires SMS gateway if that option chosen over or in addition to
cell@network email.
Download