On April 6, 2006, I sent a note to the Identity Management @ EDUCAUSE and Middleware Discussion @ Internet2 mailing lists. The question posed was four-fold:
From a quick "grep|sed" of mail domains, the following schools replied:
All responded positively to the first question, indicating
that some
group has access to reset the passwords, although in some cases it is a
dedicated
"Accounts Desk" or "Operations Counter", as opposed to a "Help Desk".
The responses to the second and third questions are summarized and anonymized in the below table, with some emphasis placed by me to reflect patterns.
A few responders provided links to documentation regarding their processes and policies. These links are included at the bottom of the page.
If you are interested in the original email discussion, please review the threads in the list archives. Thank you to all who responded!!
| How many individuals in your Help Desk have this access? | What is the "identity proofing" process, particularly for over-the-phone requests? |
|---|---|
| Our Help Desk has this ability via a special web page. They must authenticate and if they are authorized it will let them search for a user. Some of our systems require higher authorization to change passwords on, so if they aren't authorized to do that for the requested system it won't let them. | We let users change their passwords based on ... knowledge of a response to a challenge. |
| Our help desk staff have the ability to reset
passwords. The student staff members are only allowed to reset
passwords for student accounts. There are also some accounts on a
restricted list that no help desk staff can reset (such as my account). There are about 10 FTE with full access (3 work in the help desk full time) and around 20-30 student help desk staff. |
Phone requests generally require that the person fax their ID card and/or driver's license. |
| All of our 8 FTEs in the Help Desk have the ability to reset passwords (minus a handful of system administrators' accounts). None of our student staff have the ability to reset passwords. | For any password reset request, whether in person or via the phone, we require photo ID. If they are on campus or anywhere in town, we require them to come to the Help Desk in person with photo ID. If they are not able to come to campus, we will accept a faxed (and readable) driver's license or University photo ID card. |
The authorized individuals include:
|
By fax If you have access to a fax machine, you can print the
online NetID Password Change form and fax it to the ... Help Desk
along with two
forms of photo ID. The form can be faxed to you if you
do not have access to the Internet. In person You can come to the ... Help Desk with a photo-ID to reset your NetID password. |
| [11] Staff only have this ability at the moment. We are looking to extend the capability to a few (2-3) trusted student supervisors once we have some additional risk mitigation measures in place, namely better log analysis and finer-grained authorization so only certain functions/data are available from the tool. | We require the individual to fax or mail a copy of the
... ID
card or a form of government issued ID (drivers license, passport).
The new password is mailed to the person. We don't deliver over the
phone, fax or email. We will use Fedex if the need is urgent. People located on campus are required to come to the Helpdesk and present their identification in person. |
| Several hundred of our Help Desk folks have this ability. We have help desk at numerous locations at [the] University ... and campuses throughout the state. | Individuals requesting password resets must appear in person, present and use the signature station to get their original password. Phone request are handled by four employees in the Account Office. If a person is near one our campus, the are encouraged to visit the campus and have the Help Desk reset their password. If they are not near a campus (we have had requests from South America) the requester is asked to download and complete our '... Access Account Acceptance Form' and FAX the form along with a copy of a picture id (valid license, passport, etc) to our Accounts Office. Once the documents are received, the Accounts Office sends the user's password via US Mail to the individual's official home address. |
| We provide service to 5 other schools in our university
system. Each of those schools has about 2 help desk people who can reset password for users at that school only. Our Help Desk has about 7 staff members who can reset passwords for our own users. 3-4 of these can also reset passwords for users at the other schools we provide service to. |
Users are required to physically present a picture ID
before a password change is allowed. No over the phone password changes are allowed. I think our security officers may be allowing some exceptions to this in certain circumstances, but help desk staff follow this policy closely. |
| All staff who are on the operations Counter (five-ish) have this access. | Over-the-phone requests not accepted. |
| The help desk staff (no student workers) have the ability to change passwords. | Identity proofing is in person vetting with University issued ID. |
| ~10 | We require physical presence right now. |
Matt Smith
University of Connecticut
2006-04-10