RE: How to authenticate a user via telephone?

["Hay, Duane" <Duane.Hay () attcanada com>]

The best methods I have used were the following:

- The helpdesk has a "secret-passphrase" kept in a database.  The users
define their own passphrase on account creation.  Any changes to their
account require successfully providing the passphrase.  

As this method was used by a business ISP, if the user had lost/forgotten
the phrase, the helpdesk referred the request to the account manager, who
contacted the customer and helped them get their changes made.

- In a corporate environment, the help desk would reset the user's password
with a onetime password, this password would be left in the user's
voicemail.  As Voice-mail is reachable from anywhere in the world, this
worked for traveling users as well.

Hope this helps...


duane



==========
Duane Hay
Senior Security Consultant
AT&T Canada


-----Original Message-----
From: Robert Sieber [mailto:rsieber () web de]
Sent: Tuesday, December 03, 2002 1:50 PM
To: security-basics () lists securityfocus com
Subject: How to authentificate an user via telephon?


Hello colleauges,

imaging the following situation:

User calls the helpdesk to reset/alter some kind
of account-password (NT, RAS, PKI-PIN ...) and you 
has to determin wheter the user is the correct 
(owner of the account) user. What would you do
to authentificate the users identity?

What are good methodes to do this? It should be
easy for the user but secure for the administration.


Robert

-- 
http://board.protecus.de - Firewalls, Security and more ...