Self service password reset options
Hi, I don't use FIM, but I'm looking into its functionality. I have a relatively simple question that I can't find the answer for. In all I've read on password resets, the challenge system uses pre entered questions and answers. Is it possible to use other challenge systems? For example, is it possible for a user to request a password reset and have half the password sent to the users supervisor, and the other half sent to another nominated person? Thanks.
October 7th, 2010 7:33am

>>Is it possible to use other challenge systems? So that's not really challenging user then. The trick here is to somehow authenticate the user without his pwd. If you just send half of the pwd to two different persons, notice the user's password has already been reset to something new, yet you never confirm the user's identity. What you describe is pwd distribution mechanism: e.g. send to manager, or user provide.
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2010 7:45am

>>Is it possible to use other challenge systems? So that's not really challenging user then. Yep, good point. I probably didn't use the correct terminology. Anyway, can FIM do this? At my organisation, a password distribution mechanism is considered more secure than a Q&A challenge system. It depends on your point of view I guess. With a Q&A system, you need one malicious person (who may or may not already have accounts) to gather some basic information on a target user to break in. By sending half of the password to two different people, you need two malicious users (with existing accounts) to break in, but they don't need to know anything about the target.
October 7th, 2010 8:52am

to answer your question about "can FIM do this", i would need to better understand your scenario better User forgets his pwd and is now at his logon screen he click on the reset pwd link to initiate a pwd reset immediately, his pwd is randomly reset to a new one the pwd is split up and sent to two person the user need to go ask that two person for his new pwd he finally logins with his new pwd Is this the scenario? if yes, i can pretend i am Freddofrog123 and reset your pwd?
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2010 9:23am

Thats almost the scenario. The person instigating the password reset would need to already be authenticated. So it would be something like this: User A forgets his pwd. He visits a colleague B who is logged in. B requests a password reset for user A and nominates a 3rd person, user C. Half of the password is presented to B immediately. The other half is emailed to user C. User A collects both halves from B and C. A malicious user could reset someone else's password to be a nuisance, but because they would need to authenticate to request the password reset, an admin could see who has done in by inspecting audit logs. Or actually, when the request is made, an email could be sent to A informing them that their password was reset by B (with help from C). So in this case, its likely the malicious user would be caught. If a malicious user wanted to be more than a nuisance, and actually use A's account, they would need to collude with another user. And again, you would have audit logs naming the two malicious users when it became apparent that a password was compromised.
October 7th, 2010 12:01pm

i assume colleagueB must be of some relation with A? like direct manager? in short, this scenario can be done with a little bit of customization, namely Update UserA's schema and add a few called NewPassword write a custom activity which generates a random pwd, and then send mail to the two user reset the user pwd using the SetPassword API through WMI You need to write a little code but it's definitely do-able. Some of us here have written tones of custom activities and can provide more info on the work required. (It will be unfair to say it's easy because i work on the product everyday)
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2010 9:16pm

Jeremy Palenchar just presented something similar at TEC Europe. He has a boolean value on an administrative tab called reset password. An MPR fires when this is set to true that generates a random password; fires the reset operation via MIIS WMI interface (the correct and supported way); and sends a text (SMS) message to the target user's mobile/cell phone with the already expired password, i.e. you will be prompted to change at 1st logon. Here's his web site. Looks like he's made the code public already. http://identitynotes.palenchar.net/
October 7th, 2010 10:05pm

Thanks for the responses! In case anyone is interested, I've actually done a bit of searching, and Microsoft research has actually said that the secret Q&A mechanism is not a secure authenticator: http://research.microsoft.com/pubs/79594/oakland09.pdf and social-authentication (as they have named it) is promising, but not without its own problems: http://research.microsoft.com/pubs/79349/paper1459-schechter.pdf
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2010 1:38am

Irrespective of what is or isn't said in that published paper (I haven't read it) it should be noted that the Q&A mechanism is, like it or not, a well defined and viable way of authenticating an anonymous identity. Furthermore, any potential misgivings or concerns can be ruther reduced by making the number of questions and answers higher, more complex, etc. I say this because, for example, government and defence organisations utilise this mechanism and have had such deployments (whether we're talking about FIM, Quest, or anything else) approved for use by various accreditors (dependent on organistaion, department, country, etc.). Ultimately, security is about risk. And if a Q&A approach is done properly, then the risk can be minimised sufficiently such that organisations can implement.
October 8th, 2010 10:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics