Transcript Change
Draft – 10/28/2008 14:00PM Problem Summary SSN must be removed as a basis for identity verification for: Account Activation Password Change Password Recovery SSN is currently the only near universal shared secret that can be used for identity verification. Challenges Remote identity verification by shared secret requires: Secret that is accessible and usable by both individual and us Secret that is known only to the individual and us Private communications channel to share the secret Most alternatives to SSN currently fail one or both of the first two requirements. SSN almost always provides a reliable fallback of last resort. Alternative solutions require a compromise between positive identification and convenience. Proposed Solution Summary Primary Verification Secret Question/Answer ( SQA ) generates temporary password sent through private communications channel ( PCC ) consisting of external email, cellmail, and/or cell SMS communications. Secondary or Fallback Verification PCC or SQA only Helpdesk physical visit Supervisor voice verification Role based business/academic questions Webcam visual identification (raise two fingers) Voiceprint Fax picture identity card Postal mail Non-positive identification Secret Question/Answer ( SQA ) The answers effectively form a password. A password that violates most best practices for passwords: Dictionary presence Public, personal, or guessable information Complexity rules Password change and history rules Answers may not be any more memorable than a password Private Communications Channel (PCC) To add assurance to the poor SQA password, additional identity verification is carried out using a private communication channel. The PCC requires an additional, university independent user password and/or physical possession of an object. The “Private” in PCC is relative. Private Communications Channel (PCC) External E-mail ( e.g. gmail, live ) Cellmail E-mail to cell#@network.org Requires collection and storage of network information. Recently stopped. Not sure if all networks provide this service but most do. SMS Blackboard Connect? Campus SMS Gateway? Outsourced SMS Gateway? Voice? Blackboard Connect? Any cell option is well worth pursuing for benefits down the road in “twofactor” authentication and other uses. Inclusion in the solution at its outset is strongly recommended. Operational Overview Accounts.university.edu Home Page Activate account for new users Change password for existing users Recover from forgotten password Use Case – Activate Account – Primary Method Student or employee receives email or postal mail upon acceptance with account name and URL: Accounts.university.edu/activate-step-1. Person visits accounts.university.edu/activate-step-1 with browser. Answers SQA ( filled in previously from student application or as yet unknown new employee/affiliate process ) Temporary password sent via PCC on record from student application or as yet unknown new employee/affiliate process. Contains URL accounts.university.edu/activate-step-2 Accounts.university.edu/activate-step-2 Enters ID and temporary password Chance to change SQA Security Awareness Change password PCC information verification ( correction leads to SA or HR self service pages ) Use Case –Change Password – Primary Method Accounts.university.edu/change Login Chance to review SQA questions and change Security Awareness Change password PCC information verification ( correction leads to SA or HR self service pages ) Use Case –Recover Password – Primary Method Accounts.university.edu/recover Enter ID SQA Temporary password sent via PCC on record from student application or as yet unknown new employee/affiliate process. Contains URL accounts.university.edu/recover-step-2 Accounts.university.edu/recover-step-2 Enters ID and temporary password Chance to change SQA Security Awareness Change password PCC information verification ( correction leads to SA or HR self service ) Basic Tradeoffs – Primary Methods More convenience Require only one of SQA or PCC Allow e-mail PCC More positive identification and security Require both SQA and PCC Require cell PCC Tradeoffs – Recommendations for Primary Methods At roll-out: On-campus request Allow recovery with either SQA or PCC ( e-mail or cell ) individually for all parties Off-campus request: Allow recovery with e-mail or cell PCC by itself if student. Allow recovery with cell PCC by itself if employee. After stable: On-campus request Allow recovery with either SQA or PCC ( e-mail 0r cell ) individually if requested on-campus by all parties. Off-campus request Require both SQA and PCC. Cell PCC for employees. Cell or email PCC for students. Operational Overview – Fallback Verification Assumption: SQA and PCC unsuccessful/unavailable PCC or SQA only Helpdesk physical visit Supervisor voice verification Role based business/academic questions Webcam visual identification (hold up two fingers) Voiceprint Fax picture identity card Postal mail Non-positive identification Use Case – Activate Account – Fallback Methods Postal mail to address of record with temporary password Physical helpdesk visit for employees Emergency vouch for identity and unregistered PCC on case by case basis Physical visit or academic questions for students Enrolled classes Grades Application information Use Case – Recover Password – Fallback Methods Physical helpdesk visit Supervisor voice verification Helpdesk call Supervisor physical helpdesk visit Role based business/academic questions Helpdesk call Forwarded to student/employee/affiliate business analyst Classes, grades, HR info, ??? Postal Mail to Address on record Basic Tradeoffs – Fallback Methods More convenience Allow third party vouch More security Require positive identification by physical visit Tradeoffs – Recommendations for Fallback Methods Physical visit or supervisor vouch for employees or affiliates Physical visit or academic questions for students Enrolled classes Grades Residence hall Last resort (No physical access to university. No university vouch unavailable). Consideration must be given to sensitivity of account. Postal mail to address on record. Trust in third party vouch ( e.g. distance learning physical ID check, validated remote higher ed personnel physical ID check ) Webcam visual identification (raise two fingers) Fax picture identity card Physical Helpdesk Visit Dedicated, locked down machine(s) Helpdesk checks ID Helpdesk logs into computer and enters user’s ID User goes through standard account activation process: SQA set Security Awareness Change password Verify PCC information ( change leads to SA or HR self service pages ) Helpdesk Computers Computer Security Controls Screensaver timeout Session timeout Kiosk style configuration lockdown No ability to backtrack through screens Supervisor Vouch Helpdesk receives call, claimed identity, supervisor name, unregistered PCC. Helpdesk verifies supervisor and contact information. Confirms with supervisor over phone by helpdesk initiated call. Helpdesk logs in and initiates password recovery for claimed identity and unregistered PCC or Supervisor must physically visit helpdesk and do same Portal sends temporary password through unregistered PCC. Architecture and Implementation New functions New data Policy vs programming Futures Migration Costs New Portal Functions Ask/Verify/Set SQA Verify email, cell phone, cell network. Redirect to SA or HR self service pages for change. Generate temporary password Generate email/cellmail/SMS according to user preference and policy Receive temp password SQA set Security Awareness Change password Verify email/SMS. Redirect to SA or HR self service pages for change. New LDAP Data Cell number ( from peoplesoft ) Cell network ( from peoplesoft ) External e-mail address ( from peoplesoft ) PCC User Preference ( email/cellmail/SMS ) SQA ( from collegenet/portal activation ) Temporary password and expiration date ( generated by portal ) Random salt for default password ( generated by managedaccounts ) Default Password - REDACTED ( generated by managedaccounts ) New Managed Accounts Functions CollegeNet -> JCC ( SQA, email, cell, cell network ) Random default password salt -> LDAP for new accounts Default password -> LDAP for new accounts SQA, email, cell -> LDAP for new accounts Data Storage and Flow - SQA User selects questions and provides answers Collegenet application ( new students ) Hire process ( new employees ) Affiliate process ( new affiliates ) Portal ( existing population ) SQA for new students, employees, and affiliates loaded into LDAP LDAP becomes SOA All changes & administration done in portal Data Storage and Flow - PCC User provides e-mail, cell#, cell network Collegenet application ( new students ) Hire process ( new employees ) Affiliate process ( new affiliates ) Portal ( existing population ) PCC data for new students, employees, and affiliates loaded into LDAP Peoplesoft remains SOA Portal uses LDAP for look-ups Portal directs user to SA or HR self service pages for changes Data Storage and Flow – Default PW Managed accounts generates random salt for new accounts and stores in LDAP Managed accounts generates default password unique to individual using reproducible algorithm making use of random salt. Sets as password for new accounts. Accounts portal administrative console changes password of “disabled” accounts to default password. Data Storage and Flow – Temp PW – PCC delivery Generated by portal on the fly Account activation User Password recovery Administrative recovery ( helpdesk, vouch, etc. ) Random, fourteen character string made up of easily read characters ( e.g. no ‘o’s, ‘0’s, ‘1’s, or ‘l’s ) Good for twenty-four hours Hashed, then stored in LDAP along with expiration date/time Sent via PCC Password accepted by portal in recovery/activation process part 2 Hashed and compared to LDAP value Check expiration date Data Storage and Flow – Temp PW – Postal Delivery Generated by portal administrative interface Random, fourteen character string made up of easily read characters ( e.g. no ‘o’s, ‘0’s, ‘1’s, or ‘l’s ) Good for 10 days Hashed, then stored in LDAP along with expiration date/time Portal generates letter. Puts in queue. Daily process prints generated letters. Need envelope stuffing and mailing process. Send via Postal Mail Password accepted by portal in recovery/activation process part 2 Hashed and compared to LDAP value Check expiration date SQA Recommendations Provide user with list of eight questions from which they must choose three to answer. Opinion rather than truth questions to deter public information attacks and avoid storing personal information. Remove case and white space from answers to ease repeatability and parsing. Require a minimum length (3?) answer for each question Add additional identity verification using the PCC for activation/recovery requests originating off-campus. PCC Recommendations In some situations, the private communication channel can be used as a fallback mechanism by itself if SQA answers are forgotten or not available. LDAP stores PCC user preference but portal can limit user choice and choose method of transmission on the fly according to policy. Policy Design It is strongly recommended that the following policies be configurable, rather than hard coded, so they can be changed to meet changing environmental and business needs. Enable/Require SQA, PCC, or both for what population. Enable/Require email, cellmail, and/or SMS PCC for what population Temporary password characteristics – length, expiration time Number of secret questions required Consideration should be given to storing configuration data in a directory, not in the application. Miscellaneous Design Issues Use of generic classes to allow for future expansion. For example: ID-Verification (e.g. SQA, PKI-Certificate, RemotePictureID, OpenID, RemoteShibboleth, SecureID, LaptopFingerprint, VoiceID) PCC (e.g. email, cellmail, SMS, WiFi, IM) LDAP Directory (e.g. eDirectory, OID, ActiveDirectory, OVD) Administrative functions should be moved off the home page to decrease clutter and end user confusion. ( e.g. accounts.university.edu/admin ) Administrative Functions Helpdesk ‘user present’ password recovery. Helpdesk ‘user not present’ password recovery ( sends temporary password to provided unregistered PCC ). Helpdesk ‘disable account’ ( sets account password to default and disables LDAP account ) Administrative Functions Account status query: Active Disabled Waiting for activation phase 1 Waiting for activation phase 2 ( SQA answered, temp password send to PCC ( list ) Awaiting recovery phase 2. ( SQA answered, temp password sent to PCC ( list ) Logging SQA failed/answered from IP address Phase 2 activation/recovery failed/succeeded from IP address Change password failed/succeeded from IP address PCC send failed Migration Current students, faculty, staff, affiliates, and graduates Collect SQA and PCC information during normal password change cycle explaining the change online as well as through out of channel communications. New Students Implement CollegeNet application process already discussed. New Employees Need to come up with point in business process where identity can be verified and SQA/PCC information collected. ( I9 form fill out time?) New Affiliates Need to come up with point in business process where identity can be verified and SQA/PCC information collected. Vendor vouch? Cost Summary Extensive changes to accounts portal Business process re-engineering for account activation prerequisites in student acceptance and employee hiring. Convenience and complexity impact on end user Increased frequency of fallback scenarios. Increased support complexity and sensitive user interaction required in fallback scenarios. Increased outright failures of identity verification process in certain remote situations requiring acceptance of risk associated with poor verification or significant end user impact on accessibility. New LDAP attributes Changes to ID generation script Requires registration of external email and/or cell phone information for off- campus account activation and password recovery Requires SMS gateway if that option chosen over or in addition to cell@network email.