Re: How to authentificate an user via telephon?

[Valter Santos <vsantola () devfusion net>]

Hello Gene,

but that sollution will fail for a person-target attack... I can find
with little effort the ssn & birthdate of a target person and pretend to
be her/he. 

I suppose the callback sollution is better, althought as it flaws 8-(


cheers,
/valter


On Wed, 2002-12-04 at 17:27, Gene Barlow wrote:
> Robert,
>
>     Currently, I'm in the process of getting approval on a new procedure 
> for doing just that.  If approved, we'll write a script that will query 
> the last 4 digits of the users ssn & birthdate against our ERP software. 
>  So, for instance, if John Doe calls and requests a password change, 
> we'll ask for the last 4 digits of the ssn and their birthdate, type it 
> in the script, and see if that user's name is returned in the response. 
>  If so, we know (hopefully) that the user is who he says he is...
>
> Hope this helps...
> Gene...
>
> Robert Sieber wrote:
>
> > Hello colleauges,
> >
> > imaging the following situation:
> >
> > User calls the helpdesk to reset/alter some kind
> > of account-password (NT, RAS, PKI-PIN ...) and you 
> > has to determin wheter the user is the correct 
> > (owner of the account) user. What would you do
> > to authentificate the users identity?
> >
> > What are good methodes to do this? It should be
> > easy for the user but secure for the administration.
> >
> >
> > Robert
-- 

---..---..---..---..---..---..---..---..---..---..---..---..----
Valter Santos

vsantola () devfusion net                         |||
http://devfusion.net/~vsantola/keys/          (@ @)                 
------------------------------------------oOO--(_)--OOo---------

Attachment: signature.asc
Description: This is a digitally signed message part