Password Self Service Applications

PSSA Features and Services

The Password Self Service Application provides password maintenance for the following endpoint systems:

  • UNH OID LDAP
  • UNH Wireless Password
  • UNH AD
  • GSC AD
  • UNH Office 365
  • USNH OIM

All of the services, described below, provide the following features:

  1. Branding mechanism to allow the use of institutional specific language and graphics.

  2. Automatically activated help and remedial text and appropriate support contact point information for user's particular institution.

  3. Automatic detection and redirection to help resources for users that appear to be 'thrashing' within the application.

  4. Password quality enforcement.

    • Consults the USNH Oracle Identity Management system (OIM) to enforce current USNH password quality policies and password history.

    • Requires that any new password is sufficiently different from the existing password; simple, predictable, password transformations are detected and disallowed.

  5. Fully integrated compromised account workflow.

    • In event of a compromised account, the user's primary accounts are SECURED from login.

    • All PSSA applications intercept any attempts to change the password and directs the user to contact the Service Desk in order to initiate a compromised account recovery work flow.

    • The compromised password is given special handling to ensure the replacement password is sufficiently different.

    • The compromised password is disallowed from ever being used again by this particular user.

The remainder of this document describes each of the PSSA services.

Account Claiming Service

  • By providing their USNH Common ID number and date of birth (DOB), the user can find their own USNH assigned username.

  • For new accounts, the user is prompted for additional shared secrets (middle name) in order to claim their accounts by setting an initial password and establish a secret question/answer for self-service forgotten password recovery.

  • For security, new accounts can only be claimed within a specific window of time. The user is directed to the appropriate institutional service desk if it is too soon or too late to claim the account.

Password Change Service

Knowing their current password, the user is able to create a new password.

  • Password policy is illustrated and clear remediation is provided when proposed passwords do not meet required policy.

  • This application will clear password lock conditions and allow the reactivation of an account that was suspended for inactivity.

Forgotten Password Service

The user can reset their password by providing the following information:

  • Username
  • USNH Common ID number
  • Date of Birth (DOB)
  • Correctly answer their secret question.

This is a more secure approach than just requiring the username and answer to the secret question since the answer to the challenge question is often weaker than the password itself.

This service can also clear password lock conditions without requiring the creation of a new password.

Password Refresh Service (Link-Up)

  • Allows the user to activate a new account with their current password.

  • Commonly used to 'fix' access problems by confirming the user's current password is either known by all end point systems, or resets the password as needed to make this so.

  • Alerts the user about specific accounts problems that require intervention from the Service Desk to remedy.

  • Redirects user to change their password if it no longer meets current password quality standards.

  • Redircts user to change their password because of recently being granted access to new resources or elevated privileges.

Change Security Question Service

Using standard authentication (username & password), allows the user to update their security question answer, or to select and answer a different question.

  • An appropriate minimum length is required for the answer value to prevent overly weak answer values.

  • Inappropriate values like the username, or data of birth are disallowed.

  • Fuzzy matching is used for validation against the stored answer to avoid seemly arbitrary rejection of near misses.

AD Password Change

This service only changes the user's AD password.

  • Used for usernames that are unique to only AD (i.e. usernames that do not also exist in OIM or the UNH LDAP).

  • However, where the username also exists outside of AD, this app allows users to set a password for their AD account that is different than their 'common' password for that username on other systems.

  • Commonly used by AD system administrators to create a stronger password since this application avoids cross-platform password limitations required by the standard password change program.

  • Redirects to standard password change application if any account with this username is currently in the compromised account workflow.

USNH Common ID Lookup Service

Using standard authentication (username & password), allows the user to find their USNH Common ID number.

This document: http://share.unh.edu/sites/ecg/ecm/ITDocs/PSSA/pssa-feature-list.pdf
07-FEB-2017 -- Bill.Costa@unh.edu