Educause Security Discussion mailing list archives
Re: Authentication of remote users
From: Scott Koger <skoger () EMAIL WCU EDU>
Date: Thu, 3 Jan 2008 14:47:42 -0500
Gary, Having been on both ends of the phone in this scenario I can empathize, but what it comes down to is a reasonableness test. For systems where you have access to information that would not be readily available to someone pretexting - for example distance ed students who never are physically present but should know what they took semester before last, etc you can just quiz them until you are reasonably sure it's the right person on the other end of the line.(The problem here is who gets access to this sensitive information to do the verification, can't forget FERPA) For faculty/staff, get their supervisor to make the request on their behalf (then at least you would have an audit trail). M. Scott Koger, CISSP Security Analyst Information Technology Western Carolina University Cullowhee, NC 28723 Office 828.227.2489 Fax 828.227.7700 -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Thursday, January 03, 2008 12:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Authentication of remote users Lets say you have a user that: 1) forgot their password 2) forgot their answers to their secret question(s) 3) is traveling making visiting the helpdesk impossible Lets also say asking for last four digits of SSN is not allowed. How do you authenticate the identity of the user and allow them to change their password? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Re: Authentication of remote users, (continued)
- Re: Authentication of remote users Robert Paterson (Jan 03)
- Re: Authentication of remote users Cal Frye (Jan 03)
- Re: Authentication of remote users Bob Bayn (Jan 03)
- Re: Authentication of remote users Scott Fendley (Jan 03)
- Re: Authentication of remote users Kees Leune (Jan 03)
- Re: Authentication of remote users Christopher Webber (Jan 03)
- Re: Authentication of remote users Dave Mueller (Jan 03)
- Re: Authentication of remote users Hunt,Keith A (Jan 03)
- Re: Authentication of remote users Andrea Beesing (Jan 03)
- Re: Authentication of remote users Robert Paterson (Jan 03)
- Re: Authentication of remote users Scott Koger (Jan 03)
- Re: Authentication of remote users Tom Peterson (Jan 03)
- Re: Authentication of remote users Chris Vakhordjian (Jan 03)
- Re: Authentication of remote users Joel Rosenblatt (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users charlie derr (Jan 03)
- Re: Authentication of remote users Roger Safian (Jan 03)
- Re: Authentication of remote users Cal Frye (Jan 03)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Doug Markiewicz (Jan 04)
- Re: Authentication of remote users Gary Flynn (Jan 04)
(Thread continues...)