Up for Discussion: Remote ID Verification for Password Recovery
Edited by Apryl Motley, CAE - InCommon Communications Lead
Estimated reading time: 5 minutes
Editor’s Note: Collaboration among IAM professionals through the InCommon community is proof positive that many heads are often better than one. Exchanges between peers via InCommon’s discussion list in particular illustrate community members’ willingness to work together to explore issues and problems of common interest.
Beginning this month, we plan to highlight some of these exchanges as a resource for members of our community who have similar questions, but with so much up for discussion, may have missed the responses. Check out this slightly edited version of a discussion from June 29, 2022, on different ways campuses are accomplishing remote ID verification.
|Got Questions? Your peers have answers.|
|If you’re already an active participant on our discussion list, thank you! To join our list, email email@example.com with the subject: subscribe InCommon Participants.|
Question: What process does your team use for remotely assisting employees and students who have forgotten their passwords and cannot use a self-service tool. For those of you who require MFA, what do you do when users cannot log in to their accounts due to losing their phones, etc.? How do you verify ID remotely to add another device?
—Summer Scanlan, business systems analyst, University of California Berkeley, Information Security Office
Response 1: We require MFA (2FA) for all of our populations via our institutional SSO), and we have two self-service portals for reset purposes:
- If they forget their password, we use their 2FA + personal email address* on file to identity proof and allow a password reset.
- If they need to regain access to MFA (locked out, add a new device, etc.), we use their password + personal email address on file OR their password + mobile number on file.
*Personal email address on file as registered through our ERP systems during affiliate onboarding [typically]; from where a one-time use/time-bound OTP is sent to the email address
Outside of self-service, we ID proof via Zoom across a dataset of shared secret information and government-issued IDs. Self-service is encouraged where possible.
—Garrett King, director, Identity & Access Management Services, Computing Services Division, Carnegie Mellon University
Response 2: Texas A&M is exploring automated solutions in this space such as Incode to help us verify identity documents for account recovery purposes. We have tested a few vendors and have some key findings; our current challenges relate to regulatory requirements for cloud hosted solutions (getting vendors to participate in TX-RAMP, for example). If anyone is interested in exploring this as an InCommon working group (perhaps recommending a set of vendors, development of a standard, or even securing discounted rates as part of the NET+ program), I would be very interested in helping to lead an effort like that.
—Garrett Yamada, identity & access management engineer, Texas A&M University
Response 3: Our support desk will have the individual get on a Zoom and present government ID. We then compare the details of the ID with what we have on file as well as compare the government ID photo with the human and cross-check it with our own ID photo. If everything matches, the person is assisted in recovery.
—David Langenberg, assistant director, Identity & Access Management; The University of Chicago
Response 4: We typically have our first-tier employees connect with the user via Teams or Zoom and also confirm identity from an internal account management portal that pulls information from our SIS/ERP Ellucian Banner.
For password resets, once their identity is reviewed, we implement a 24-hour “bypass” of phone, email, and security questions by reverting to any phone number or email address we have registered in Banner. For example, if users don’t have access to their primary phone or remember their security questions, the “bypass” allows them to connect using any phone number or email address that is active in Banner without security questions. This is all supported by an internally developed app.
For MFA, we primarily use Duo, and after reviewing the identity, we will assist in managing phones as needed. We do have email alerts to our security office for any of these device changes. We have also been moving a number of users to Microsoft’s Self-Service Password Reset and Azure MFA. For those users, the identity vetting is the same, but we use the Microsoft “Temporary Access Pass” (TAP) as a one-time code to bypass the MFA requirements, or we select “require re-enrollment.”
—Don Miller, system integration analyst, University of Idaho