RE: remote authentication

["Lovena J Reddi" <lovenareddi () intnet mu>]

My main problem is how to identify that it's the user who is asking me to
reset his password.  As voice recognition is not adequate despite I will ask
user about the secret question.

But I don't have that system in place. And also I can I be sure it's the
users itself textin it to me.  As someone can steal it n make use or under
threat my user can give the necessary information which the theft can make
use of and call me or text me.

Any other option.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Worrell, Brian
Sent: Wednesday, March 12, 2008 11:28 PM
To: Lovena J Reddi; Jacob Jennings; Juan B;
security-basics () securityfocus com
Subject: RE: remote authentication

So the users would call you, and over the network, you would change the
password of their device? 

What about a one time password system to Auth them?  Say it texts it to
a phone on record, and then they verify it with you over the call? 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Lovena J Reddi
Sent: Wednesday, March 12, 2008 3:11 PM
To: 'Jacob Jennings'; 'Juan B'; security-basics () securityfocus com
Subject: remote authentication

Hi

 

I need to develop a process about remote authentication. I am looking a
way where I can reset someone password while being at client side n not
connecting over my network.

 

In fact I have safeboot installed on all machines and if a user report
that his safeboot account is disabled, I need to reset it but before
that I need to recognize that person.

 

Since voice recognition is not considered as adequate, I need to develop
a process to authenticate remote callers which will include combination
of personal information and one key question/answer.

 

Anyone can help me out to find an appropriate way beside voice.  Note
that this person will call for resetting password.