Re: How to authentificate an user via telephon?

["Chris Berry" <compjma () hotmail com>]

> From: Gene Barlow <btraquer () att net>
>    Currently, I'm in the process of getting approval on a new procedure 
> for doing just that.  If approved, we'll write a script that will query the 
> last 4 digits of the users ssn & birthdate against our ERP software. So, 
> for instance, if John Doe calls and requests a password change, we'll ask 
> for the last 4 digits of the ssn and their birthdate, type it in the 
> script, and see if that user's name is returned in the response. If so, we 
> know (hopefully) that the user is who he says he is...

I have to say that I think thats a very insecure authentication method.  Our 
company deals heavily with finding people, and getting information about 
them, and I can say from experience here that getting someone's SSN and 
birthdate is a trivial task.  You'd be much better off with another system 
such as the three authenticating questions someone propsed earlier.  I also 
recommend PasswordSafe from www.counterpane.com its a free product that 
allows you to manage multiple passwords in a secure 448bit blowfish 
encrypted storage. (that should help your users from forgetting their 
passwords all the time)

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Live dangerously, overclock your servers."

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail