Re: How to authentificate an user via telephon?

[Richard Caley <rjc () interactive co uk>]

In article <BBENJKHLDJKKOGPHEIOEKEGLCIAA.rsieber () web de>, Robert Sieber (rs) writes:

rs> User calls the helpdesk to reset/alter some kind
rs> of account-password (NT, RAS, PKI-PIN ...) and you 
rs> has to determin wheter the user is the correct 
rs> (owner of the account) user. What would you do
rs> to authentificate the users identity?

One from my bank: you send them paper mail with a temporary security
code in it, they have to call within N days and tell you the code,
then you accept they are who they say they are. For paranoia, you need
to disguise the paper mail so it is less likely to be intercepted.

One stage further, send them paper mail to home and office, they have
to get both. 

Or, not very secure but has someone else do the hard work: have them
pay you some trivial amount of money by (registered) credit card, with
all the checks available from the CC issuer (id number on the back of
the card etc). People will lose any id object you give them, or allow
it to be lifted and never notice/report it, but are a bit more
paranoid about their credit cards. If you are nice you might then
refund the money (minus the CC company handling charge), if you aren't
you treat it as a fine for losing their password.

-- 
Mail me as MYFIRSTNAME () MYLASTNAME org uk        _O_
                                                 |<