Join InCommon

21
Jul.
2022

Community

Up for Discussion: Remote ID Verification for Password Recovery

Share

Array

Edited by Apryl Motley, CAE - InCommon Communications Lead

Editor’s Note: Collaboration among IAM professionals through the InCommon community is proof positive that many heads are often better than one. Exchanges between peers via InCommon’s discussion list in particular illustrate community members’ willingness to work together to explore issues and problems of common interest. 

Beginning this month, we plan to highlight some of these exchanges as a resource for members of our community who have similar questions, but with so much up for discussion, may have missed the responses. Check out this slightly edited version of a discussion from June 29, 2022, on different ways campuses are accomplishing remote ID verification. 

Got Questions? Your peers have answers.
If you’re already an active participant on our discussion list, thank you! To join our list, email sympa@incommon.org with the subject: subscribe InCommon Participants.

 

Summer Scanlan

Question: What process does your team use for remotely assisting employees and students who have forgotten their passwords and cannot use a self-service tool. For those of you who require MFA, what do you do when users cannot log in to their accounts due to losing their phones, etc.? How do you verify ID remotely to add another device?

—Summer Scanlan, business systems analyst, University of California Berkeley, Information Security Office

Response 1: We require MFA (2FA) for all of our populations via our institutional SSO), and we have two self-service portals for reset purposes:

Garrett King
  • If they forget their password, we use their 2FA + personal email address* on file to identity proof and allow a password reset. 
  • If they need to regain access to MFA (locked out, add a new device, etc.), we use their password + personal email address on file OR their password + mobile number on file.

*Personal email address on file as registered through our ERP systems during affiliate onboarding [typically]; from where a one-time use/time-bound OTP is sent to the email address

Outside of self-service, we ID proof via Zoom across a dataset of shared secret information and government-issued IDs.  Self-service is encouraged where possible.

—Garrett King, director, Identity & Access Management Services, Computing Services Division, Carnegie Mellon University

Garrett Yamada

Response 2: Texas A&M is exploring automated solutions in this space such as Incode to help us verify identity documents for account recovery purposes. We have tested a few vendors and have some key findings; our current challenges relate to regulatory requirements for cloud hosted solutions (getting vendors to participate in TX-RAMP, for example). If anyone is interested in exploring this as an InCommon working group (perhaps recommending a set of vendors, development of a standard, or even securing discounted rates as part of the NET+ program), I would be very interested in helping to lead an effort like that. 

—Garrett Yamada,  identity & access management  engineer, Texas A&M University 

David Langenberg
David Langenberg

Response 3: Our support desk will have the individual get on a Zoom and present government ID. We then compare the details of the ID with what we have on file as well as compare the government ID photo with the human and cross-check it with our own ID photo.  If everything matches, the person is assisted in recovery. 

—David Langenberg, assistant director, Identity & Access Management; The University of Chicago

Response 4: We typically have our first-tier employees connect with the user via Teams or Zoom and also confirm identity from an internal account management portal that pulls information from our SIS/ERP Ellucian Banner.

Don Miller

For password resets, once their identity is reviewed, we implement a 24-hour “bypass” of phone, email, and security questions by reverting to any phone number or email address we have registered in Banner. For example, if users don’t have access to their primary phone or remember their security questions, the “bypass” allows them to connect using any phone number or email address that is active in Banner without security questions. This is all supported by an internally developed app.

For MFA, we primarily use Duo, and after reviewing the identity, we will assist in managing phones as needed. We do have email alerts to our security office for any of these device changes. We have also been moving a number of users to Microsoft’s Self-Service Password Reset and Azure MFA. For those users, the identity vetting is the same, but we use the Microsoft “Temporary Access Pass” (TAP) as a one-time code to bypass the MFA requirements, or we select “require re-enrollment.”

—Don Miller, system integration analyst, University of Idaho