Spent some time over lunch talking to DNS. We discussed Self-Service Password Reset (SSPR). They indicated the following:
- If you get password convergence, the use of SSPR reduces, as people have only one password to remember
- People feel a stronger ownership of their password when they have only one (it is their password, not the Windows password or the e-mail password or VLE password). That stronger ownership leads to them keeping their password more secure.
- When there is password convergence, people are less likely to share their password, as that password gives access to their e-mail.
- They have implemented SSPR but use up to twelve questions to identify someone, and let the end-user determine the questions that they would be asked. They do not recommend we try that in the university as they would probably go with "Q1", "Q2" for the questions and "yes" for all the answers.
2 comments:
Hi. A Lancaster student has a single username/password combination for their acess to Windows, email and VLE. The big area they miss out on is the Library and e-resources, where a different combination operates..
Their current username/password combination *is* value loaded. I can't say how much LUSI information (about themselves) they can see. This value still doesn't avert the need for password resetting, especially with the the way the academic year is blocked. (That is there are periods of comparative inactivity.)
I'd like a formal risk analysis on SSPR @ Lancaster for students, before we discard the idea. It's a deliverable from UIMS and gives us a 24 by 7 service.
Dave
To my mind the hole in our provision is the fractured approach the systems we have for authentication. From my perspective they seem loosely coupled and disjointed. We need to look at our service delivery.
Dave
Post a Comment