An offline software that does not make use of the internet knows the user's
logon_ID, the
system account name, and the
software license string. If the user miss-enters the password three times, the software locks him out and he is presented with a request string of 16 hexadecimal characters as
xxxx-xxxx-xxxx-xxxx. The user contacts the host system administrator with this xxxx-xxxx-xxxx-xxxx challenge string.
At the host, using the
logon-id, the administrator searches for the user information record, which contains the
account-name, and the
software license. Administrator using the
logon-id record, pastes the user's 16 character challenge string into one field on the form. If the pasted string is in error, an error message pops up for the administrator.
If the challenge string is accepted, a response string is generated in the format
xxxx-xxxx-xxxx-xxxx. This response is sent to the user via email or spoken to him.
The user pastes the received string into a receive confirmation field. The received string could fail an acceptability check because of a typing error. If the response string from the administrator is validated (what is expected), the software unlocks and asks the user to enter a new password and its confirmation. In this exchange the administrator does not know the user's new password or even the old password.
Each try for a new password by the user results in a new challenge string, different from the previous one. User and host administrator systems may be in different time-zones.
Anyone up to the challenge to solve this off-line password renewal challenge?