- EXECUTIVE SPONSOR(S): Kate Hash
- SPONSOR(S): Mel Radcliffe
- DEPT OR DIVISION: ITS Security and Identity Management
- PROJECT OWNER: Celeste Copeland
- STATUS: In Progress
- Project Theme: Serving Our Communities
Currently, when you set up your Onyen, you answer some questions about yourself. Later, if you ever forget your password, you can answer these questions to prove that “you’re you” and safely reset your password.
This security model is no longer considered safe enough by the NIST (National Institute of Standards and Technology), the NIH (National Institutes of Health), REFEDS (the Research and Education FEDerations group), and the University’s own Information Security Office. Current guidance says that resetting a credential needs to require strong proof of identity, such as two-factor authentication or confirmation that the person resetting the password has presented a government-issued ID.
This project is replacing both the self-service password reset function linked from onyen.unc.edu and the challenge questions that the Service Desk uses over the phone. Ideally, the reset will be built into ServiceNow, possibly in an automated chatbot, or handled through a live chat with a Service Desk staff member.