Designing a password management solution for a major University

In 2014, the University of Calgary rushed out a project that changed how we managed campus IT accounts. Technical details aside, this means the way that user passwords were stored and used also changed. In one swift motion , a decade of home brewed IT tools were made obsolete and replaced with a shiny new enterprise grade software behemoth. Unfortunately this behemoth had a few flaws, for example; users couldn’t change their passwords on their own. The University of Calgary has over 35,000 people, and each of them with at least one IT account to care about.

So my job was to quickly produce a software solution that would enable our diverse community to change the passwords to their accounts in a way that is easy to understand, easy to do themselves, and most importantly anticipate any problems they may encounter and provide a digital “helping hand” to resolve it. The result was a website which was eventually called Password Management. This website underwent several evolutions and this is the design as it currently stands.

 

password management home screen

 

The home screen did something that both the previous IT tools for account management and the new behemoth solution didn’t do: tell the user what their account is actually used for.

For comparison, here was our old homebrewed solution that lasted a decade:

IT Utilities (old)

Three links that say “password” on them went to three separate tools, and it was up to the user to figure out which one to click.  Confused? I still am.

The home screen is a late addition, and is certainly not perfect. However it fits the bill at the moment. However the home screen is barely used. There are multiple entry points into password management based on where the user came from. Password management anticipates what the user actually came to the website for, and takes them directly to that workflow.

 

The change password workflow

 

The simplest thing a user wants to do is change their password. In 2015, a project was implemented that required users to change their password once a year. For tens of thousands of people, this was the first time they changed their password since they set it. This workflow had to be simple, direct, and help the user with the consequences of their action.

 

Capture3

 

This screen was presented to the user immediately if password management guessed the user wanted to change their password (more on this later). The user was identified and authenticated by the Universities’ Central Authentication Service (CAS) which they are used to typing their (old) password in several times a day, there are no excessive visible gates or hoops the user has to jump through.

This screen is extremely powerful, for the first time in our history of IT tools, password management synchronizes all of the user’s computing accounts together, taking the frustration out of picking which tool to use to change various passwords they might have at the University. Password management goes through a gauntlet of checks and validations to make sure the user is who they say they are, and diagnoses dozens of potential account problems before being presented with this screen.

The screen itself is relatively simple, and certainly nothing new. The requirements for the password light up as they user types, and the continue button unlocks once all the requirements are met.

Requirements box

The user is then prompted to retype their password, and their good to go.

(The excessive password requirements are a complexity of our directory management systems, which is a discussion for another time).

The final screen explains what happened, and what to do next. The password the user just set appears in a lot of places, so only the most used systems are selected and displayed to the user.

Password management final page

If all goes well, the process of changing a password for multiple, related personal accounts at the University of Calgary involves visiting one well-published website, entering the password twice, and pressing a button. The rest is handled behind the scenes.

 

The recover password workflow

 

Changing a password you already know is easy enough. But what about changing a password you don’t know? Password management again takes a guess if your trying to recover a password you don’t know. This is usually done by seeing if you’ve authenticated or not yet to the Central Authentication Service, and taking other clues such as if you clicked on a help link to arrive at password management.

After much deliberation with our security team, it was decided only two pieces of information had to be entered from the user, and the rest of the security measures could be done invisibly.

The first piece of information is identification – asking the user for the University of Calgary identification number (UCID number), which is unique to every active staff and student on campus.

 

Password management identification

 

An important aspect of improving password management is logging how users use the system, and where they get stuck. Over 95% of users were able to locate their UCID number and continue through this screen. The remaining 5% either abandoned their session at this screen or clicked the “I don’t know my UCID” button. This metric doesn’t include users who clicked “I don’t have a UCID number”, which is a special area for a legacy method of authentication.

 

The second piece of information required from the user is for authentication, which is the classic method of security questions.

Password management verify

Good security questions have two requirements. They can’t be based on a volatile opinion (e.g. favourite colour) and they should be difficult to find on social networks. Although hardly bullet proof, security questions are a nice balance of of:

  • Using information accessible to us (they are created during account creation, and hashed like a password in the backend)
  • Avoiding information we can’t use (for example, it is policy that we can’t ask for date of birth)
  • Preventing loops the user may get stuck in (for example, sending a verification email to an account the user might be trying to recover the password for!)

Of course, password management does due diligence invisible to the user to keep their account safe.

Once the user has provided all the right answers, they are moved into the change password screen we saw above.

 

Account dashboard

 

Another late addition to password management was the addition of the account dashboard. The dashboard was a response to the project which required users to change their password once a year. The dashboard gives them an overview of their primary and secondary accounts, allows them to update passwords and security questions, and alert them to problems with their account.

Password management dashboard

The dashboard must be explicitly visited through the password management home screen or by clicking a link to the dashboard from another website. Password management doesn’t take users here by default.

Opinions in this blog related to my employment at the University of Calgary are my own, and do not represent the interests of the University of Calgary.

 

Sean Feil