Re: Authentication of remote users

[Scott Koger <skoger () EMAIL WCU EDU>]

Gary,

Having been on both ends of the phone in this scenario I can empathize,
but what it comes down to is a reasonableness test.
 
For systems where you have access to information that would not be
readily available to someone pretexting - for example distance ed
students who never are physically present but should know what they took
semester before last, etc you can just quiz them until you are
reasonably sure it's the right person on the other end of the line.(The
problem here is who gets access to this sensitive information to do the
verification, can't forget FERPA)
 
For faculty/staff, get their supervisor to make the request on their
behalf (then at least you would have an audit trail).

M. Scott Koger, CISSP
Security Analyst
Information Technology
Western Carolina University
Cullowhee, NC 28723
Office 828.227.2489
Fax    828.227.7700 

-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU] 
Sent: Thursday, January 03, 2008 12:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Authentication of remote users



Lets say you have a user that:

1) forgot their password
2) forgot their answers to their secret question(s)
3) is traveling making visiting the helpdesk impossible

Lets also say asking for last four digits of SSN is
not allowed.

How do you authenticate the identity of the user and
allow them to change their password?


-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security