Security Basics mailing list archives
RE: How to authentificate an user via telephon?
From: "Burton M. Strauss III" <bstrauss3 () attbi com>
Date: Wed, 4 Dec 2002 12:09:50 -0600
The three classic methods of authentication are: 1. Something you know (e.g. a password) 2. Something you have (e.g. a physical key or SecureID card, etc.) 3. Something about you (e.g. biometrics) Since they've forgotten the old password, and you're validating remotely (i.e. excluding #s 3), you have limited options. If they have their secureID type device, you could establish a secured signon using that and their usual PIN into a special service that resets passwords. If you're depending on telephone, then you have to fall back to #1, some sort of shared secret. BEFORE the problem you ask them some questions and register the answers. It should be stuff only they know, hard to find out, and not the usual "Mother's maiden name" that everyone else uses. Stuff hard to forget, and easy to remember. You may have to ask a # of questions to establish - to your comfort level - it's really, really, them. Stuff like: Current job title? Office Phone #? Is bad, because it's on the business card they gave somebody at the airport. Less public stuff is better... What is your employee number, please? Date of hire? Truly freaky stuff is best, if you can collect it (remember there are laws about what you can ask) Who was your 3rd Grade Teacher? What color is your bathroom wall? Remember, your fallback HAS TO BE, "I'm sorry sir/ma'm, but I'm unable to verify your id. Please have your supervisor call during normal business hours tomorrow." And you MUST have executive sponsorship. High up... "Do you know who I am?" "No Sir" "I'm the CEO of this G** D*** company and If I can't get into my email, <insert dire consequence>" "I'm sorry sir, but you yourself have told us that security of our IT systems is the most important responsibility I have. I'm unable to verify your identity based on information that you, yourself, have provided to us. Because of that, I can't take the risk that this isn't an attempt to access our systems and steal valuable information. I've flagged this account and my supervisor will be in touch with your office tomorrow morning." And if you ever have an employee with enough gumption to do that, buy him/her a gold watch so they can time how long it takes to get to the unemployment office. They're right, but that ain't gonna be good enough. -----Burton -----Original Message----- From: rsieber () web de [mailto:rsieber () web de] Sent: Tuesday, December 03, 2002 12:50 PM To: security-basics () lists securityfocus com Subject: How to authentificate an user via telephon? Hello colleauges, imaging the following situation: User calls the helpdesk to reset/alter some kind of account-password (NT, RAS, PKI-PIN ...) and you has to determin wheter the user is the correct (owner of the account) user. What would you do to authentificate the users identity? What are good methodes to do this? It should be easy for the user but secure for the administration. Robert -- http://board.protecus.de - Firewalls, Security and more ...
Current thread:
- How to authentificate an user via telephon? Robert Sieber (Dec 04)
- Re: How to authentificate an user via telephon? Matthew McCleary (Dec 04)
- Re: How to authentificate an user via telephon? kawaii (Dec 04)
- RE: How to authentificate an user via telephon? securityfocus (Dec 04)
- Re: How to authentificate an user via telephon? Brad Arlt (Dec 04)
- Re: How to authentificate an user via telephon? Muhammad Naseer Bhatti (Dec 05)
- Re: How to authentificate an user via telephon? Brad Arlt (Dec 05)
- Re: How to authentificate an user via telephon? Muhammad Naseer Bhatti (Dec 05)
- Re: How to authentificate an user via telephon? Gene Barlow (Dec 05)
- Re: How to authentificate an user via telephon? Valter Santos (Dec 05)
- Re: How to authentificate an user via telephon? Gene (Dec 06)
- Re: How to authentificate an user via telephon? Valter Santos (Dec 05)
- RE: How to authentificate an user via telephon? Burton M. Strauss III (Dec 05)
- Re: How to authentificate an user via telephon? James W. Meritt (Dec 05)
- Re: How to authentificate an user via telephon? Marc Cuypers (Dec 05)
- Re: How to authentificate an user via telephon? J . Reilink (Dec 05)
- Re: How to authentificate an user via telephon? Richard Caley (Dec 05)
- Message not available
- Re: Switch and Hub Testing Project Julian Young (Dec 09)
- <Possible follow-ups>
- RE: How to authentificate an user via telephon? Bent.Mathiesen (Dec 04)
- Re: How to authentificate an user via telephon? Torsten Mueller (Dec 05)
- Re: How to authentificate an user via telephon? Margles Singleton (Dec 04)
- RE: How to authentificate an user via telephon? Champion, Steve (Dec 04)
- RE: How to authentificate an user via telephon? Valter Santos (Dec 05)