RE: How to authentificate an user via telephon?

["Burton M. Strauss III" <bstrauss3 () attbi com>]

The three classic methods of authentication are:

1. Something you know (e.g. a password)
2. Something you have (e.g. a physical key or SecureID card, etc.)
3. Something about you (e.g. biometrics)

Since they've forgotten the old password, and you're validating remotely
(i.e. excluding #s 3), you have limited options.

If they have their secureID type device, you could establish a secured
signon using that and their usual PIN into a special service that resets
passwords.

If you're depending on telephone, then you have to fall back to #1, some
sort of shared secret.

BEFORE the problem you ask them some questions and register the answers.  It
should be stuff only they know, hard to find out, and not the usual
"Mother's maiden name" that everyone else uses.  Stuff hard to forget, and
easy to remember.

You may have to ask a # of questions to establish - to your comfort level -
it's really, really, them.

Stuff like:

Current job title?
Office Phone #?

Is bad, because it's on the business card they gave somebody at the airport.

Less public stuff is better...

What is your employee number, please?
Date of hire?


Truly freaky stuff is best, if you can collect it (remember there are laws
about what you can ask)

Who was your 3rd Grade Teacher?
What color is your bathroom wall?


Remember, your fallback HAS TO BE, "I'm sorry sir/ma'm, but I'm unable to
verify your id.  Please have your supervisor call during normal business
hours tomorrow."

And you MUST have executive sponsorship.  High up...

"Do you know who I am?"
"No Sir"

"I'm the CEO of this G** D*** company and If I can't get into my email,
<insert dire consequence>"
"I'm sorry sir, but you yourself have told us that security of our IT
systems is the most important responsibility I have.  I'm unable to verify
your identity based on information that you, yourself, have provided to us.
Because of that, I can't take the risk that this isn't an attempt to access
our systems and steal valuable information.  I've flagged this account and
my supervisor will be in touch with your office tomorrow morning."

And if you ever have an employee with enough gumption to do that, buy
him/her a gold watch so they can time how long it takes to get to the
unemployment office.  They're right, but that ain't gonna be good enough.


-----Burton




-----Original Message-----
From: rsieber () web de [mailto:rsieber () web de]
Sent: Tuesday, December 03, 2002 12:50 PM
To: security-basics () lists securityfocus com
Subject: How to authentificate an user via telephon?


Hello colleauges,

imaging the following situation:

User calls the helpdesk to reset/alter some kind
of account-password (NT, RAS, PKI-PIN ...) and you
has to determin wheter the user is the correct
(owner of the account) user. What would you do
to authentificate the users identity?

What are good methodes to do this? It should be
easy for the user but secure for the administration.


Robert

--
http://board.protecus.de - Firewalls, Security and more ...