Re: Authentication of remote users

[Robert Paterson <rpaterson () SALEMSTATE EDU>]

I think the answer is there is always risk. Depending upon the culture of your institution you either identify a 
"reasonable" method to assure it is the right person or you say "you can get it when you get back..." 
 
But this leads to the point does anyone "audit" those account for activity right after the reset just to see if there 
might be peculiar activity? Not for all changes, just the ones described in the original email.
 
Rob
 
Dr. Robert Paterson
Chief Information Officer
Salem State College
Salem MA 01970
robert.paterson () salemstate edu 
978-542-6446

> > > On 1/3/2008 at 1:57 PM, in message <71DD61EF08BE5C408895B63DD316AD18010C2D37 () COMAL uanet edu>, "Hunt,Keith A" 
> > > <keith () UAKRON EDU> wrote:
-----Original Message-----
From: Cal Frye [mailto:cjf () CALFRYE COM] 
Sent: Thursday, January 03, 2008 12:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Authentication of remote users

Gary Flynn wrote:
> Lets say you have a user that:
>
> 1) forgot their password
> 2) forgot their answers to their secret question(s)
> 3) is traveling making visiting the helpdesk impossible
>
> Lets also say asking for last four digits of SSN is
> not allowed.
>
> How do you authenticate the identity of the user and
> allow them to change their password?
Here we require they fax (or sometimes an email will do) a photocopy of
their ID card, which does not itself contain SSN data, but our internal
ID number instead.

-- 
Regards,
-- Cal Frye, Network Administrator, Oberlin College



I have never quite understood the thinking behind this approach, though
I have seen a number of folks propose it.

What if someone steals my ID card, or I lose it and someone else finds
it?

How does the possession of such a credential prove anything about the
identity of the person who holds it?


Keith Hunt  330.972.7968  keith () uakron edu 
Internet & Server Systems 
The University of Akron