Recently, Harvard Medical School implemented a secure password reset architecture that is my cool technology of the week.
Forgotten password processes typically work by asking the user to answer a secret question. However, the answers to such questions may be weak or may be findable on social networking sites, which often disclose detailed personal information (favorite vacation spot, favorite food, favorite car etc.)
We elected to use a two factor approach - something that you have and something that you know. Since more the 90% of Harvard faculty, staff, and students have mobile devices, we elected to send a PIN code for password resetting to their cell phones.
The technology is very simple. Each telephone carrier has a way to transfer an email message to a text message via a normal convention such as (phonenumber@phonecarrier.com). We send a random code via email(translated to SMS via carrier) to the user's device which is validated when the user enters the code into our site. The codes are time sensitive, which reduces the possibility of compromising a code.
All password resets at Harvard Medical School now require this approach. We implemented it for 22,000 users and have thus far received a dozen calls to the help desk. Here's the email I sent to the community about it.
"To the HMS Community:
To comply with new Massachusetts data protection regulations, which take effect on March 1, 2010, we must make several changes to our policies and technologies. The new regulations require all HMS mobile devices be encrypted; govern how employees are allowed to keep, access and transport records containing personal information outside of business premises; require that an institution knows where every computing system -- including laptops and portable devices -- containing personal information is located; and require reasonable monitoring of systems for unauthorized use/access to personal information. You can read more about the new regulations on my blog.
To ensure the integrity of all personal data, we will be begin making some of the changes now. Effective today, password resetting at HMS includes an optional feature called SafeCode, which we have piloted over the past year. Whenever a password reset is requested, a code to complete the reset will be sent to your cell phone to protect your account.
Over the next month, we'll complete an evaluation of products that will help ensure the safety of laptops and other mobile devices. We'll keep you informed of software applications and services that will be available to the HMS community to ensure compliance with the new regulations.
If you have questions about any aspect of these regulations, please see the Harvard Enterprise Information Security Policy or contact the Help Desk. Thank you for your support of our efforts to further protect the privacy of personal information.
Sincerely,
John D. Halamka, MD
Chief Information Officer
Harvard Medical School"
Hi John,
ReplyDeleteGreat blog article! I recently heard about a really innovative product for two-factor authentication called FireId http://www.fireid.com. Their product turns your cell phone into the "token", very slick! You should check them out! I could see it being used in place of RSA and Vasco!