Telephone Verification of Identity

[Kenneth Arnold <bkarnold () CBU EDU>]

We are dealing with the problem of how you verify the identity of a
person over the telephone sufficiently to discuss
non-directory/confidential information with them.

Do you require the person to supply specific data about themselves?  If
so, what data?
Do you have challenge questions/responses on file that you use to verify
identity?
How are other schools dealing with the problem?

We currently don't have a standard method to verify identity.  We have
tossed around some ideas like:
1.  Is the student ID sufficient?  Is the student ID similar to the SSN
in that we can't use it for identification either because of FERPA?
2.  Is the birthdate sufficient?  Facebook makes this information
readily available. A doctor's office tends to use this to verify
identity over the phone.
3.  Is the student ID and the birthdate sufficient?
4.  It is our impression that we can't use the social security number or
even part of it because of FERPA.
5.  Do you call the person back at a telephone number recorded for that
person in our administrative database?
6.  Do you use caller ID to verify that the person is calling from a
number recorded for that person in the administrative database?  Caller
ID can be forged.
7.  Do you generate a random number, display it to the person answering
the phone, send the random number to the person through email and then
require the person to give you the random number?


--
Brother Kenneth Arnold
Director of Network Systems
Christian Brothers University
Memphis, TN
(901) 321-4333