Draft – 10/28/2008 14:00PM

Problem SummarySSN must be removed as a basis for identity

verification for:Account ActivationPassword ChangePassword Recovery

SSN is currently the only near universal shared secret that can be used for identity verification.

ChallengesRemote identity verification by shared secret

requires:Secret that is accessible and usable by both individual and usSecret that is known only to the individual and usPrivate communications channel to share the secret

Most alternatives to SSN currently fail one or both of the first two requirements.

SSN almost always provides a reliable fallback of last resort.

Alternative solutions require a compromise between positive identification and convenience.

Proposed Solution SummaryPrimary Verification

Secret Question/Answer ( SQA ) generates temporary password sent through private communications channel ( PCC ) consisting of external e-mail, cellmail, and/or cell SMS communications.

Secondary or Fallback Verification PCC or SQA only Helpdesk physical visit Supervisor voice verification Role based business/academic questions Webcam visual identification (raise two fingers) Voiceprint Fax picture identity card Postal mail Non-positive identification

Secret Question/Answer ( SQA )The answers effectively form a password.A password that violates most best practices

for passwords:Dictionary presencePublic, personal, or guessable informationComplexity rulesPassword change and history rules

Answers may not be any more memorable than a password

Private Communications Channel (PCC)

To add assurance to the poor SQA password, additional identity verification is carried out using a private communication channel.

The PCC requires an additional, university independent user password and/or physical possession of an object.

The “Private” in PCC is relative.

Private Communications Channel (PCC) External E-mail ( e.g. gmail, live ) Cellmail

E-mail to cell#@network.org Requires collection and storage of network information. Recently

stopped. Not sure if all networks provide this service but most do.

SMS Blackboard Connect? Campus SMS Gateway? Outsourced SMS Gateway?

Voice? Blackboard Connect?

Any cell option is well worth pursuing for benefits down the road in “two-factor” authentication and other uses. Inclusion in the solution at its outset is strongly recommended.

Operational Overview

Accounts.university.edu Home Page

Activate account for new usersChange password for existing usersRecover from forgotten password

Use Case – Activate Account – Primary MethodStudent or employee receives email or postal mail upon

acceptance with account name and URL: Accounts.university.edu/activate-step-1.

Person visits accounts.university.edu/activate-step-1 with browser.

Answers SQA ( filled in previously from student application or as yet unknown new employee/affiliate process )

Temporary password sent via PCC on record from student application or as yet unknown new employee/affiliate process. Contains URL accounts.university.edu/activate-step-2

Accounts.university.edu/activate-step-2 Enters ID and temporary password Chance to change SQA Security Awareness Change password PCC information verification ( correction leads to SA or HR self

service pages )

Use Case –Change Password – Primary MethodAccounts.university.edu/changeLoginChance to review SQA questions and changeSecurity AwarenessChange passwordPCC information verification ( correction

leads to SA or HR self service pages )

Use Case –Recover Password – Primary MethodAccounts.university.edu/recoverEnter IDSQATemporary password sent via PCC on record from

student application or as yet unknown new employee/affiliate process. Contains URL accounts.university.edu/recover-step-2

Accounts.university.edu/recover-step-2Enters ID and temporary passwordChance to change SQASecurity AwarenessChange passwordPCC information verification ( correction leads to SA or

HR self service )

Basic Tradeoffs – Primary MethodsMore convenience

Require only one of SQA or PCCAllow e-mail PCC

More positive identification and securityRequire both SQA and PCCRequire cell PCC

Tradeoffs – Recommendations for Primary MethodsAt roll-out:

On-campus request Allow recovery with either SQA or PCC ( e-mail or cell )

individually for all partiesOff-campus request:

Allow recovery with e-mail or cell PCC by itself if student. Allow recovery with cell PCC by itself if employee.

After stable:On-campus request

Allow recovery with either SQA or PCC ( e-mail 0r cell ) individually if requested on-campus by all parties.

Off-campus request Require both SQA and PCC. Cell PCC for employees. Cell or email

PCC for students.

Operational Overview – Fallback VerificationAssumption: SQA and PCC

unsuccessful/unavailable PCC or SQA only Helpdesk physical visit Supervisor voice verification Role based business/academic questions Webcam visual identification (hold up two fingers) Voiceprint Fax picture identity card Postal mail Non-positive identification

Use Case – Activate Account – Fallback MethodsPostal mail to address of record with

temporary password

Physical helpdesk visit for employeesEmergency vouch for identity and unregistered

PCC on case by case basis

Physical visit or academic questions for studentsEnrolled classesGradesApplication information

Use Case – Recover Password – Fallback MethodsPhysical helpdesk visit

Supervisor voice verificationHelpdesk callSupervisor physical helpdesk visit

Role based business/academic questionsHelpdesk callForwarded to student/employee/affiliate business analystClasses, grades, HR info, ???

Postal Mail to Address on record

Basic Tradeoffs – Fallback MethodsMore convenience

Allow third party vouch

More securityRequire positive identification by physical visit

Tradeoffs – Recommendations for Fallback MethodsPhysical visit or supervisor vouch for employees or affiliatesPhysical visit or academic questions for students

Enrolled classesGradesResidence hallLast resort (No physical access to university. No university vouch

unavailable). Consideration must be given to sensitivity of account. Postal mail to address on record. Trust in third party vouch ( e.g. distance learning physical ID

check, validated remote higher ed personnel physical ID check ) Webcam visual identification (raise two fingers) Fax picture identity card

Physical Helpdesk VisitDedicated, locked down machine(s)Helpdesk checks IDHelpdesk logs into computer and enters user’s IDUser goes through standard account activation

process:SQA setSecurity AwarenessChange passwordVerify PCC information ( change leads to SA or HR

self service pages )

Helpdesk ComputersComputer Security Controls

Screensaver timeoutSession timeoutKiosk style configuration lockdownNo ability to backtrack through screens

Supervisor VouchHelpdesk receives call, claimed identity,

supervisor name, unregistered PCC.Helpdesk verifies supervisor and contact

information. Confirms with supervisor over phone by helpdesk initiated call.Helpdesk logs in and initiates password recovery for

claimed identity and unregistered PCC orSupervisor must physically visit helpdesk and do same

Portal sends temporary password through unregistered PCC.

Architecture and ImplementationNew functionsNew dataPolicy vs programmingFuturesMigrationCosts

New Portal FunctionsAsk/Verify/Set SQAVerify email, cell phone, cell network. Redirect to

SA or HR self service pages for change.Generate temporary passwordGenerate email/cellmail/SMS according to user

preference and policyReceive temp password

SQA setSecurity AwarenessChange passwordVerify email/SMS. Redirect to SA or HR self service pages

for change.

New LDAP DataCell number ( from peoplesoft )Cell network ( from peoplesoft )External e-mail address ( from peoplesoft )PCC User Preference ( email/cellmail/SMS )SQA ( from collegenet/portal activation )Temporary password and expiration date

( generated by portal )Random salt for default password ( generated by

managed-accounts )Default Password - REDACTED ( generated by

managed-accounts )

New Managed Accounts FunctionsCollegeNet -> JCC ( SQA, email, cell, cell

network )Random default password salt -> LDAP for

new accountsDefault password -> LDAP for new accountsSQA, email, cell -> LDAP for new accounts

Data Storage and Flow - SQAUser selects questions and provides answers

Collegenet application ( new students )Hire process ( new employees )Affiliate process ( new affiliates )Portal ( existing population )

SQA for new students, employees, and affiliates loaded into LDAPLDAP becomes SOAAll changes & administration done in portal

Data Storage and Flow - PCCUser provides e-mail, cell#, cell network

Collegenet application ( new students )Hire process ( new employees )Affiliate process ( new affiliates )Portal ( existing population )

PCC data for new students, employees, and affiliates loaded into LDAPPeoplesoft remains SOAPortal uses LDAP for look-upsPortal directs user to SA or HR self service pages

for changes

Data Storage and Flow – Default PWManaged accounts generates random salt for

new accounts and stores in LDAPManaged accounts generates default

password unique to individual using reproducible algorithm making use of random salt. Sets as password for new accounts.

Accounts portal administrative console changes password of “disabled” accounts to default password.

Data Storage and Flow – Temp PW – PCC deliveryGenerated by portal on the fly

Account activation User Password recovery Administrative recovery ( helpdesk, vouch, etc. )

Random, fourteen character string made up of easily read characters ( e.g. no ‘o’s, ‘0’s, ‘1’s, or ‘l’s )

Good for twenty-four hoursHashed, then stored in LDAP along with expiration date/timeSent via PCCPassword accepted by portal in recovery/activation process

part 2Hashed and compared to LDAP valueCheck expiration date

Data Storage and Flow – Temp PW – Postal DeliveryGenerated by portal administrative interfaceRandom, fourteen character string made up of easily read

characters ( e.g. no ‘o’s, ‘0’s, ‘1’s, or ‘l’s )Good for 10 daysHashed, then stored in LDAP along with expiration date/timePortal generates letter. Puts in queue.Daily process prints generated letters. Need envelope stuffing

and mailing process.Send via Postal MailPassword accepted by portal in recovery/activation process

part 2Hashed and compared to LDAP valueCheck expiration date

SQA RecommendationsProvide user with list of eight questions from which

they must choose three to answer.Opinion rather than truth questions to deter public

information attacks and avoid storing personal information.

Remove case and white space from answers to ease repeatability and parsing.

Require a minimum length (3?) answer for each question

Add additional identity verification using the PCC for activation/recovery requests originating off-campus.

PCC Recommendations

In some situations, the private communication channel can be used as a fallback mechanism by itself if SQA answers are forgotten or not available.

LDAP stores PCC user preference but portal can limit user choice and choose method of transmission on the fly according to policy.

Policy DesignIt is strongly recommended that the following

policies be configurable, rather than hard coded, so they can be changed to meet changing environmental and business needs.Enable/Require SQA, PCC, or both for what population.Enable/Require email, cellmail, and/or SMS PCC for

what populationTemporary password characteristics – length, expiration

timeNumber of secret questions required

Consideration should be given to storing configuration data in a directory, not in the application.

Miscellaneous Design IssuesUse of generic classes to allow for future

expansion. For example:ID-Verification (e.g. SQA, PKI-Certificate,

RemotePictureID, OpenID, RemoteShibboleth, SecureID, LaptopFingerprint, VoiceID)

PCC (e.g. email, cellmail, SMS, WiFi, IM)LDAP Directory (e.g. eDirectory, OID, ActiveDirectory,

OVD)

Administrative functions should be moved off the home page to decrease clutter and end user confusion. ( e.g. accounts.university.edu/admin )

Administrative FunctionsHelpdesk ‘user present’ password recovery.

Helpdesk ‘user not present’ password recovery ( sends temporary password to provided unregistered PCC ).

Helpdesk ‘disable account’ ( sets account password to default and disables LDAP account )

Administrative FunctionsAccount status query:

Active Disabled Waiting for activation phase 1 Waiting for activation phase 2 ( SQA answered, temp password

send to PCC ( list ) Awaiting recovery phase 2. ( SQA answered, temp password

sent to PCC ( list )Logging

SQA failed/answered from IP address Phase 2 activation/recovery failed/succeeded from IP address Change password failed/succeeded from IP address PCC send failed

MigrationCurrent students, faculty, staff, affiliates, and graduates

Collect SQA and PCC information during normal password change cycle explaining the change online as well as through out of channel communications.

New Students Implement CollegeNet application process already discussed.

New Employees Need to come up with point in business process where identity

can be verified and SQA/PCC information collected. ( I9 form fill out time?)

New AffiliatesNeed to come up with point in business process where

identity can be verified and SQA/PCC information collected. Vendor vouch?

Cost Summary Extensive changes to accounts portal Business process re-engineering for account activation

prerequisites in student acceptance and employee hiring. Convenience and complexity impact on end user Increased frequency of fallback scenarios. Increased support complexity and sensitive user interaction

required in fallback scenarios. Increased outright failures of identity verification process in

certain remote situations requiring acceptance of risk associated with poor verification or significant end user impact on accessibility.

New LDAP attributes Changes to ID generation script Requires registration of external email and/or cell phone

information for off-campus account activation and password recovery

Requires SMS gateway if that option chosen over or in addition to cell@network email.