Re: Authentication of remote users

["Hunt,Keith A" <keith () UAKRON EDU>]

-----Original Message-----
From: Cal Frye [mailto:cjf () CALFRYE COM] 
Sent: Thursday, January 03, 2008 12:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Authentication of remote users

Gary Flynn wrote:
> Lets say you have a user that:
>
> 1) forgot their password
> 2) forgot their answers to their secret question(s)
> 3) is traveling making visiting the helpdesk impossible
>
> Lets also say asking for last four digits of SSN is
> not allowed.
>
> How do you authenticate the identity of the user and
> allow them to change their password?
Here we require they fax (or sometimes an email will do) a photocopy of
their ID card, which does not itself contain SSN data, but our internal
ID number instead.

-- 
Regards,
-- Cal Frye, Network Administrator, Oberlin College



I have never quite understood the thinking behind this approach, though
I have seen a number of folks propose it.

What if someone steals my ID card, or I lose it and someone else finds
it?

How does the possession of such a credential prove anything about the
identity of the person who holds it?


Keith Hunt  330.972.7968  keith () uakron edu 
Internet & Server Systems 
The University of Akron