Security Basics mailing list archives
Re: How to authentificate an user via telephon?
From: "Muhammad Naseer Bhatti" <naseer () digitallinx com>
Date: Wed, 4 Dec 2002 23:05:22 +0500
What my credit card company has done, when you call their help/support desk for any assistance, they first authenticate you. They do it by letting you enter your secret pincode into the system. The computer authenticates the code and thus you are authenticated. Then the operator manually fulfills your request. I think this may work out for you as well. Naseer ----- Original Message ----- From: "Brad Arlt" <arlt () cpsc ucalgary ca> To: "Robert Sieber" <rsieber () web de> Cc: <security-basics () lists securityfocus com> Sent: Wednesday, December 04, 2002 10:00 PM Subject: Re: How to authentificate an user via telephon?
On Tue, Dec 03, 2002 at 07:50:10PM +0100, Robert Sieber wrote:Hello colleauges, imaging the following situation: User calls the helpdesk to reset/alter some kind of account-password (NT, RAS, PKI-PIN ...) and you has to determin wheter the user is the correct (owner of the account) user. What would you do to authentificate the users identity? What are good methodes to do this? It should be easy for the user but secure for the administration.You could have a passphrase book, and tell the user, "Your password has been set to the next passphrase". Some places that don't *really* care about security do the password for when you call the support desk. This is usually a pet's name, birthday, or otherwise easily remembered crappy password. This just leaves you with an account that has two passwords, one of which is never going to change *and* is very likely the worst password one would ever want to pick. If they ask you to reset only one of the passwords, then they still know the rest. They could provide authentication on another service to alter their password on the requested service. Our "easy for the user" is they show up at the help desk with their University ID (I work for a University). A pain in the butt for folks out of town, but oh well. The "I am really who I say I am" identity claim over the phone, just doesn't work... Not even if "I *Really* am who I say I am". ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) I should be biking right now. Computer Science
Current thread:
- How to authentificate an user via telephon? Robert Sieber (Dec 04)
- Re: How to authentificate an user via telephon? Matthew McCleary (Dec 04)
- Re: How to authentificate an user via telephon? kawaii (Dec 04)
- RE: How to authentificate an user via telephon? securityfocus (Dec 04)
- Re: How to authentificate an user via telephon? Brad Arlt (Dec 04)
- Re: How to authentificate an user via telephon? Muhammad Naseer Bhatti (Dec 05)
- Re: How to authentificate an user via telephon? Brad Arlt (Dec 05)
- Re: How to authentificate an user via telephon? Muhammad Naseer Bhatti (Dec 05)
- Re: How to authentificate an user via telephon? Gene Barlow (Dec 05)
- Re: How to authentificate an user via telephon? Valter Santos (Dec 05)
- Re: How to authentificate an user via telephon? Gene (Dec 06)
- Re: How to authentificate an user via telephon? Valter Santos (Dec 05)
- RE: How to authentificate an user via telephon? Burton M. Strauss III (Dec 05)
- Re: How to authentificate an user via telephon? James W. Meritt (Dec 05)
- Re: How to authentificate an user via telephon? Marc Cuypers (Dec 05)
- Re: How to authentificate an user via telephon? J . Reilink (Dec 05)
- Re: How to authentificate an user via telephon? Richard Caley (Dec 05)
- Message not available
- Re: Switch and Hub Testing Project Julian Young (Dec 09)