telephone authentication

[Kevin Shalla <kshalla () UIC EDU>]

How do you guys do telephone authentication?  It's certainly easiest
if your student or employee ID number is sort of secret, and you just
ask for that number, but what if you want to do real authentication
that isn't easy for any employee with access to the student database
to forge?  We've had some thoughts, but none that is effective,
complete, and convenient.  We thought about comparing caller ID with
the phone number stored in the student database, but that would cut
out people who were not using a phone in our database.  We also
thought about sending a text message of a random string of numbers to
the cell phone we have in our database for that person and having him
read it back, but we don't have many cell phone numbers in our database.

Banks ask for mother's maiden name, but we're not capturing that now,
and I'm sure some people would refuse to give that to us, guessing
that our employees could then go out and start accessing their bank
accounts (I would probably also refuse!).  What keeps evil bank
employees from impersonating us to spend money in our names?