Upload
keaton-powers
View
30
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Proposal for SSN Removal from Account Activation/Password Renewal Process. Draft – 10/28/2008 14:00PM. Problem Summary. SSN must be removed as a basis for identity verification for: Account Activation Password Change Password Recovery - PowerPoint PPT Presentation
Citation preview
Draft – 10/28/2008 14:00PM
Problem SummarySSN must be removed as a basis for identity
verification for:Account ActivationPassword ChangePassword Recovery
SSN is currently the only near universal shared secret that can be used for identity verification.
ChallengesRemote identity verification by shared secret
requires:Secret that is accessible and usable by both individual and usSecret that is known only to the individual and usPrivate communications channel to share the secret
Most alternatives to SSN currently fail one or both of the first two requirements.
SSN almost always provides a reliable fallback of last resort.
Alternative solutions require a compromise between positive identification and convenience.
Proposed Solution SummaryPrimary Verification
Secret Question/Answer ( SQA ) generates temporary password sent through private communications channel ( PCC ) consisting of external e-mail, cellmail, and/or cell SMS communications.
Secondary or Fallback Verification PCC or SQA only Helpdesk physical visit Supervisor voice verification Role based business/academic questions Webcam visual identification (raise two fingers) Voiceprint Fax picture identity card Postal mail Non-positive identification
Secret Question/Answer ( SQA )The answers effectively form a password.A password that violates most best practices
for passwords:Dictionary presencePublic, personal, or guessable informationComplexity rulesPassword change and history rules
Answers may not be any more memorable than a password
Private Communications Channel (PCC)
To add assurance to the poor SQA password, additional identity verification is carried out using a private communication channel.
The PCC requires an additional, university independent user password and/or physical possession of an object.
The “Private” in PCC is relative.
Private Communications Channel (PCC) External E-mail ( e.g. gmail, live ) Cellmail
E-mail to cell#@network.org Requires collection and storage of network information. Recently
stopped. Not sure if all networks provide this service but most do.
SMS Blackboard Connect? Campus SMS Gateway? Outsourced SMS Gateway?
Voice? Blackboard Connect?
Any cell option is well worth pursuing for benefits down the road in “two-factor” authentication and other uses. Inclusion in the solution at its outset is strongly recommended.
Operational Overview
Accounts.university.edu Home Page
Activate account for new usersChange password for existing usersRecover from forgotten password
Use Case – Activate Account – Primary MethodStudent or employee receives email or postal mail upon
acceptance with account name and URL: Accounts.university.edu/activate-step-1.
Person visits accounts.university.edu/activate-step-1 with browser.
Answers SQA ( filled in previously from student application or as yet unknown new employee/affiliate process )
Temporary password sent via PCC on record from student application or as yet unknown new employee/affiliate process. Contains URL accounts.university.edu/activate-step-2
Accounts.university.edu/activate-step-2 Enters ID and temporary password Chance to change SQA Security Awareness Change password PCC information verification ( correction leads to SA or HR self
service pages )
Use Case –Change Password – Primary MethodAccounts.university.edu/changeLoginChance to review SQA questions and changeSecurity AwarenessChange passwordPCC information verification ( correction
leads to SA or HR self service pages )
Use Case –Recover Password – Primary MethodAccounts.university.edu/recoverEnter IDSQATemporary password sent via PCC on record from
student application or as yet unknown new employee/affiliate process. Contains URL accounts.university.edu/recover-step-2
Accounts.university.edu/recover-step-2Enters ID and temporary passwordChance to change SQASecurity AwarenessChange passwordPCC information verification ( correction leads to SA or
HR self service )
Basic Tradeoffs – Primary MethodsMore convenience
Require only one of SQA or PCCAllow e-mail PCC
More positive identification and securityRequire both SQA and PCCRequire cell PCC
Tradeoffs – Recommendations for Primary MethodsAt roll-out:
On-campus request Allow recovery with either SQA or PCC ( e-mail or cell )
individually for all partiesOff-campus request:
Allow recovery with e-mail or cell PCC by itself if student. Allow recovery with cell PCC by itself if employee.
After stable:On-campus request
Allow recovery with either SQA or PCC ( e-mail 0r cell ) individually if requested on-campus by all parties.
Off-campus request Require both SQA and PCC. Cell PCC for employees. Cell or email
PCC for students.
Operational Overview – Fallback VerificationAssumption: SQA and PCC
unsuccessful/unavailable PCC or SQA only Helpdesk physical visit Supervisor voice verification Role based business/academic questions Webcam visual identification (hold up two fingers) Voiceprint Fax picture identity card Postal mail Non-positive identification
Use Case – Activate Account – Fallback MethodsPostal mail to address of record with
temporary password
Physical helpdesk visit for employeesEmergency vouch for identity and unregistered
PCC on case by case basis
Physical visit or academic questions for studentsEnrolled classesGradesApplication information
Use Case – Recover Password – Fallback MethodsPhysical helpdesk visit
Supervisor voice verificationHelpdesk callSupervisor physical helpdesk visit
Role based business/academic questionsHelpdesk callForwarded to student/employee/affiliate business analystClasses, grades, HR info, ???
Postal Mail to Address on record
Basic Tradeoffs – Fallback MethodsMore convenience
Allow third party vouch
More securityRequire positive identification by physical visit
Tradeoffs – Recommendations for Fallback MethodsPhysical visit or supervisor vouch for employees or affiliatesPhysical visit or academic questions for students
Enrolled classesGradesResidence hallLast resort (No physical access to university. No university vouch
unavailable). Consideration must be given to sensitivity of account. Postal mail to address on record. Trust in third party vouch ( e.g. distance learning physical ID
check, validated remote higher ed personnel physical ID check ) Webcam visual identification (raise two fingers) Fax picture identity card
Physical Helpdesk VisitDedicated, locked down machine(s)Helpdesk checks IDHelpdesk logs into computer and enters user’s IDUser goes through standard account activation
process:SQA setSecurity AwarenessChange passwordVerify PCC information ( change leads to SA or HR
self service pages )
Helpdesk ComputersComputer Security Controls
Screensaver timeoutSession timeoutKiosk style configuration lockdownNo ability to backtrack through screens
Supervisor VouchHelpdesk receives call, claimed identity,
supervisor name, unregistered PCC.Helpdesk verifies supervisor and contact
information. Confirms with supervisor over phone by helpdesk initiated call.Helpdesk logs in and initiates password recovery for
claimed identity and unregistered PCC orSupervisor must physically visit helpdesk and do same
Portal sends temporary password through unregistered PCC.
Architecture and ImplementationNew functionsNew dataPolicy vs programmingFuturesMigrationCosts
New Portal FunctionsAsk/Verify/Set SQAVerify email, cell phone, cell network. Redirect to
SA or HR self service pages for change.Generate temporary passwordGenerate email/cellmail/SMS according to user
preference and policyReceive temp password
SQA setSecurity AwarenessChange passwordVerify email/SMS. Redirect to SA or HR self service pages
for change.
New LDAP DataCell number ( from peoplesoft )Cell network ( from peoplesoft )External e-mail address ( from peoplesoft )PCC User Preference ( email/cellmail/SMS )SQA ( from collegenet/portal activation )Temporary password and expiration date
( generated by portal )Random salt for default password ( generated by
managed-accounts )Default Password - REDACTED ( generated by
managed-accounts )
New Managed Accounts FunctionsCollegeNet -> JCC ( SQA, email, cell, cell
network )Random default password salt -> LDAP for
new accountsDefault password -> LDAP for new accountsSQA, email, cell -> LDAP for new accounts
Data Storage and Flow - SQAUser selects questions and provides answers
Collegenet application ( new students )Hire process ( new employees )Affiliate process ( new affiliates )Portal ( existing population )
SQA for new students, employees, and affiliates loaded into LDAPLDAP becomes SOAAll changes & administration done in portal
Data Storage and Flow - PCCUser provides e-mail, cell#, cell network
Collegenet application ( new students )Hire process ( new employees )Affiliate process ( new affiliates )Portal ( existing population )
PCC data for new students, employees, and affiliates loaded into LDAPPeoplesoft remains SOAPortal uses LDAP for look-upsPortal directs user to SA or HR self service pages
for changes
Data Storage and Flow – Default PWManaged accounts generates random salt for
new accounts and stores in LDAPManaged accounts generates default
password unique to individual using reproducible algorithm making use of random salt. Sets as password for new accounts.
Accounts portal administrative console changes password of “disabled” accounts to default password.
Data Storage and Flow – Temp PW – PCC deliveryGenerated by portal on the fly
Account activation User Password recovery Administrative recovery ( helpdesk, vouch, etc. )
Random, fourteen character string made up of easily read characters ( e.g. no ‘o’s, ‘0’s, ‘1’s, or ‘l’s )
Good for twenty-four hoursHashed, then stored in LDAP along with expiration date/timeSent via PCCPassword accepted by portal in recovery/activation process
part 2Hashed and compared to LDAP valueCheck expiration date
Data Storage and Flow – Temp PW – Postal DeliveryGenerated by portal administrative interfaceRandom, fourteen character string made up of easily read
characters ( e.g. no ‘o’s, ‘0’s, ‘1’s, or ‘l’s )Good for 10 daysHashed, then stored in LDAP along with expiration date/timePortal generates letter. Puts in queue.Daily process prints generated letters. Need envelope stuffing
and mailing process.Send via Postal MailPassword accepted by portal in recovery/activation process
part 2Hashed and compared to LDAP valueCheck expiration date
SQA RecommendationsProvide user with list of eight questions from which
they must choose three to answer.Opinion rather than truth questions to deter public
information attacks and avoid storing personal information.
Remove case and white space from answers to ease repeatability and parsing.
Require a minimum length (3?) answer for each question
Add additional identity verification using the PCC for activation/recovery requests originating off-campus.
PCC Recommendations
In some situations, the private communication channel can be used as a fallback mechanism by itself if SQA answers are forgotten or not available.
LDAP stores PCC user preference but portal can limit user choice and choose method of transmission on the fly according to policy.
Policy DesignIt is strongly recommended that the following
policies be configurable, rather than hard coded, so they can be changed to meet changing environmental and business needs.Enable/Require SQA, PCC, or both for what population.Enable/Require email, cellmail, and/or SMS PCC for
what populationTemporary password characteristics – length, expiration
timeNumber of secret questions required
Consideration should be given to storing configuration data in a directory, not in the application.
Miscellaneous Design IssuesUse of generic classes to allow for future
expansion. For example:ID-Verification (e.g. SQA, PKI-Certificate,
RemotePictureID, OpenID, RemoteShibboleth, SecureID, LaptopFingerprint, VoiceID)
PCC (e.g. email, cellmail, SMS, WiFi, IM)LDAP Directory (e.g. eDirectory, OID, ActiveDirectory,
OVD)
Administrative functions should be moved off the home page to decrease clutter and end user confusion. ( e.g. accounts.university.edu/admin )
Administrative FunctionsHelpdesk ‘user present’ password recovery.
Helpdesk ‘user not present’ password recovery ( sends temporary password to provided unregistered PCC ).
Helpdesk ‘disable account’ ( sets account password to default and disables LDAP account )
Administrative FunctionsAccount status query:
Active Disabled Waiting for activation phase 1 Waiting for activation phase 2 ( SQA answered, temp password
send to PCC ( list ) Awaiting recovery phase 2. ( SQA answered, temp password
sent to PCC ( list )Logging
SQA failed/answered from IP address Phase 2 activation/recovery failed/succeeded from IP address Change password failed/succeeded from IP address PCC send failed
MigrationCurrent students, faculty, staff, affiliates, and graduates
Collect SQA and PCC information during normal password change cycle explaining the change online as well as through out of channel communications.
New Students Implement CollegeNet application process already discussed.
New Employees Need to come up with point in business process where identity
can be verified and SQA/PCC information collected. ( I9 form fill out time?)
New AffiliatesNeed to come up with point in business process where
identity can be verified and SQA/PCC information collected. Vendor vouch?
Cost Summary Extensive changes to accounts portal Business process re-engineering for account activation
prerequisites in student acceptance and employee hiring. Convenience and complexity impact on end user Increased frequency of fallback scenarios. Increased support complexity and sensitive user interaction
required in fallback scenarios. Increased outright failures of identity verification process in
certain remote situations requiring acceptance of risk associated with poor verification or significant end user impact on accessibility.
New LDAP attributes Changes to ID generation script Requires registration of external email and/or cell phone
information for off-campus account activation and password recovery
Requires SMS gateway if that option chosen over or in addition to cell@network email.