Appendix B - Enrolment and rest password processes

It is important that the enrolment and reset password processes do not degrade the security of the authentication solution. Reset password processes are the processes followed when a customer has forgotten his or her password or when the customer has been locked out from the authentication system. This should not be confused with the process of a customer changing his or her password. The agency must undertake a risk assessment for these processes. Some options for the enrolment and reset password processes are outlined below. These are not the only acceptable options.

B.1 Enrolment processes

An agency customer is required to complete the Evidence of Identity (EOI) process with the agency (from the Evidence of Identity Standard) as part of the enrolment process for online service delivery. The enrolment steps are depicted in the diagram below. The processes for enrolment have not been specifically detailed in the authentication standards and so need to be determined by the agency.

Normally, the EOI process requires the physical presence of the customer at the agency. The association of a password to a customer will not be activated for service requests until the customer has satisfied the EOI requirements. To be set up for online service delivery, the customer may:

• enter their password while at the agency completing the EOI process
• have already entered a password, which is then associated to their identity when they complete the EOI process at the agency
• complete the EOI process at the agency and take away an initial password that is only used for their first logon.

B.2 Reset password processes

Processes for resetting a customer’s password, in cases where a password is forgotten, also need to be developed by the agency. The steps for password reset are depicted in the diagram below. The ‘authenticate customer’ and ‘distribute reset password’ steps directly affect the security of the authentication system.

Again there are many acceptable options. The agency may use a number of communication channels to perform the ‘authenticate customer’ and ‘distribute reset password’ steps. The channels employed may be different for these two steps in any password reset process.

B2.1 Online challenge response questions and reset password distribution

A set of questions and answers is recorded when the customer initially sets his or her password. The questions can be a combination of customer-selected questions and questions set by the agency. (The agency may set some questions to ensure a certain strength is achieved with the question set.) As part of the password reset process, the customer is required to correctly answer a subset of their recorded questions set before a reset password is issued. The strength of this process should be consistent with the strength of password requirements of the Password Standard to ensure that the password requirements are not undermined and that the question and answer process is appropriate. The customer should periodically be asked to confirm their questions and answers (this may occur when the customer needs to change an expired password). Agencies should also allow customers to update and alter their questions and answers. The reset password may be sent using the customer’s registered email address, home address, or cellphone (as either an SMS text-message or a voice-message). Using the registered contact details of the customer provides an additional check in the password reset process. Solutions that simply display the password on the screen or allow the customer to have the password sent to another address are not acceptable.

B2.2 Call centre challenge response questions and reset password distribution

The customer may also be able to access a call centre for password reset. In this case the questions and answers may not necessarily be taken from a recorded set but may rely on knowledge that the agency has of the customer. For example, the agency may use a combination of address details, transaction details and specific customer details shared by the agency and the customer (such as customer number or correspondence codes). Call centre staff should receive training in the risks of social engineering and fraud and the necessary practices to defend against such attacks. Where possible, reset passwords should be distributed in the manner described in the online setting.