Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to authentificate an user via telephon?

From: "kawaii" <trunks () stackers org>
Date: Wed, 4 Dec 2002 12:00:03 -0500
From: "Robert Sieber" <rsieber () web de>
Sent: Tuesday, December 03, 2002 13:50



Hello colleauges,

imaging the following situation:

User calls the helpdesk to reset/alter some kind
of account-password (NT, RAS, PKI-PIN ...) and you
has to determin wheter the user is the correct
(owner of the account) user. What would you do
to authentificate the users identity?

What are good methodes to do this? It should be
easy for the user but secure for the administration.



The ways that I've seen are:

1) Have an authenticated user email/call in for the person with the lost
password/PIN/etc.
2) Have a secure question that is created by the user (ie: when the user
registers for the account, he also submits three personal questions for
auth.)
3) Have a PIN/password be used for authentication, with which they can then
change/review their other accts/passwords.



Robert


Ever lovable and always scrappy,
kawaii

"Cunnilingus and psychiatry brought us to this." - Tony Soprano
Previous By Date Next
Previous By Thread Next

Current thread: