To do an automated password change or reset, you need to exchange something secret with the end-user. And you would need a reasonable amount of confidence it can not be picked up by someone else. For many less critical things e-mail or phone text messages may work fine.
The simplest approach is if you have multiple authentication mechanisms with the same degree of authentication. Provided they are linked, you can pass the secret through the other mechanism. AFAIK in IBM the Notes infrastructure is still separate from the system-wide intranet authentication. When both are unavailable, the secret can be sent to the manager (which is defined in the databases) and he should be able to authenticate the person. That also works for the first-time password. Back then in a former life, we investigated options to pre-print such a random secret on the user's pay slip. Most people will keep that private and not leave it where others could see it. And they will archive it in a place where it can be found again. :-) The Dutch tax office used to have a chosen 5-digit pin code for electronically filing your tax declarations. When you had forgotten the pin code, you would mail in a new chosen one on a signed form. Clearly that could only be used when there happens to be a dispute about authenticity of the electronic transfer. This has now been replaced by a government-wide authentication scheme called DigiD. The web application associates your personal SSN-like number with a chosen userid, password, e-mail address and optionally cell phone number. The scheme includes a secret activation key that is sent through mail to your registered home address (takes up to 5 days to complete). This year was the first time the tax office required DigiD for electronic filing, so many people found at last minute they had forgotten their password and would not be done in time. The help desk told people to borrow the DigiD userid and password from someone else (like their neighbor). When this hit the press, people were upset because we're told not to share it with others. So this was formally corrected in that you should ask your neighbor to come over and type in his userid and password to submit your tax declarations (and you keep him from looking at the numbers). Next year the Tax office will also validate that your tax declaration is signed by yourself! :-) Now Dutch tax is not as exciting anymore. Employers, banks and others already file most numbers as well so filling in wrong numbers will ring alarms anyway. The other mistake they made is that the secret activation key (sent via mail) must be retained and is re-used for future changes. While that sounds handy, it clearly breaks much of the intention of the scheme. Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
