Educause Security Discussion mailing list archives
telephone authentication
From: Kevin Shalla <kshalla () UIC EDU>
Date: Fri, 25 Apr 2008 12:16:23 -0500
How do you guys do telephone authentication? It's certainly easiest if your student or employee ID number is sort of secret, and you just ask for that number, but what if you want to do real authentication that isn't easy for any employee with access to the student database to forge? We've had some thoughts, but none that is effective, complete, and convenient. We thought about comparing caller ID with the phone number stored in the student database, but that would cut out people who were not using a phone in our database. We also thought about sending a text message of a random string of numbers to the cell phone we have in our database for that person and having him read it back, but we don't have many cell phone numbers in our database. Banks ask for mother's maiden name, but we're not capturing that now, and I'm sure some people would refuse to give that to us, guessing that our employees could then go out and start accessing their bank accounts (I would probably also refuse!). What keeps evil bank employees from impersonating us to spend money in our names?
Current thread:
- telephone authentication Kevin Shalla (Apr 25)
- <Possible follow-ups>
- Re: telephone authentication Mike Waller (Apr 25)