RE: remote authentication

["Eric Pinkerton" <EPinkerton () soulaustralia com au>]

There are many products out there that claim to be reliable enough to
use voice recognition as a second factor, and who boast some pretty
impressive clients - http://www.voicevault.com/ is just one example.

It is my impression (and I may be wrong) that these are adopted mainly
to solve problems with resourcing rather than security, and I would
guess that is a cost related consideration. 

Normal best practice is to send the password 'out of band', so either by
calling them back on a mobile you have listed in the GAL, or a home
phone, or as someone suggested leaving them a vmail on their work phone.

Yes users can be placed under duress, but in this case almost every
system is flawed, and reseting a password for someone who has a gun to
their head is the last of your problems.

Interestingly enough, some voice auth recognition systems claim to be
able to detect the user being under duress!

How many Tom Clancy novels the marketing dept has read could be a
contributing factor on this though....

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Lovena J Reddi
Sent: Thursday, March 13, 2008 6:48 AM
To: 'Worrell, Brian'; 'Jacob Jennings'; 'Juan B';
security-basics () securityfocus com
Subject: RE: remote authentication

My main problem is how to identify that it's the user who is asking me
to reset his password.  As voice recognition is not adequate despite I
will ask user about the secret question.

But I don't have that system in place. And also I can I be sure it's the
users itself textin it to me.  As someone can steal it n make use or
under threat my user can give the necessary information which the theft
can make use of and call me or text me.

Any other option.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Worrell, Brian
Sent: Wednesday, March 12, 2008 11:28 PM
To: Lovena J Reddi; Jacob Jennings; Juan B;
security-basics () securityfocus com
Subject: RE: remote authentication

So the users would call you, and over the network, you would change the
password of their device? 

What about a one time password system to Auth them?  Say it texts it to
a phone on record, and then they verify it with you over the call? 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Lovena J Reddi
Sent: Wednesday, March 12, 2008 3:11 PM
To: 'Jacob Jennings'; 'Juan B'; security-basics () securityfocus com
Subject: remote authentication

Hi

 

I need to develop a process about remote authentication. I am looking a
way where I can reset someone password while being at client side n not
connecting over my network.

 

In fact I have safeboot installed on all machines and if a user report
that his safeboot account is disabled, I need to reset it but before
that I need to recognize that person.

 

Since voice recognition is not considered as adequate, I need to develop
a process to authenticate remote callers which will include combination
of personal information and one key question/answer.

 

Anyone can help me out to find an appropriate way beside voice.  Note
that this person will call for resetting password.