Re: telephone authentication

[Mike Waller <mwaller.distro () GMAIL COM>]

My impression of current best practices would be to use a set of security
questions. You create a bank of questions and the students provide the
answer (Mother's maiden could be one) to three when they call in. Caller ID
and text messages aren't ideal because you're now bringing another system
into play for the authentication to work. I was without my cell phone for a
day last year when I accidentally left it in my pocket during a swim. Things
happen and I don't think you'd want to be at the mercy of everyone's ability
to remember ot bring their phone or keep it charged.

The security questions aren't perfect, but with good questions, it can be
pretty good. I could probably answer most questions for my wife and my
lifelong friends, but it gets much harder after that. I'd stay away from
questions that involve current "favorites" like songs or movies. Tastes
change over time and it can be difficult to remember what your favorite
movie was three years ago. Things like the name of your first elementary
school, first car owned, name of first pet, first concert, favorite
color, favorite historical figure, etc. are all "personal" but not
particularly sensitive. Some people who know you well might know some, but
they probably won't know them all, unless they're very, very close to you.
Come up with 10 questions, force everyone to answer at least 5 and then use
a random 3 anytime they call in. It's pretty useful.

On Fri, Apr 25, 2008 at 1:16 PM, Kevin Shalla <kshalla () uic edu> wrote:

> How do you guys do telephone authentication?  It's certainly easiest if
> your student or employee ID number is sort of secret, and you just ask for
> that number, but what if you want to do real authentication that isn't easy
> for any employee with access to the student database to forge?  We've had
> some thoughts, but none that is effective, complete, and convenient.  We
> thought about comparing caller ID with the phone number stored in the
> student database, but that would cut out people who were not using a phone
> in our database.  We also thought about sending a text message of a random
> string of numbers to the cell phone we have in our database for that person
> and having him read it back, but we don't have many cell phone numbers in
> our database.
>
> Banks ask for mother's maiden name, but we're not capturing that now, and
> I'm sure some people would refuse to give that to us, guessing that our
> employees could then go out and start accessing their bank accounts (I would
> probably also refuse!).  What keeps evil bank employees from impersonating
> us to spend money in our names?