Educause Security Discussion mailing list archives
Telephone Verification of Identity
From: Kenneth Arnold <bkarnold () CBU EDU>
Date: Thu, 19 Mar 2009 20:58:39 -0500
We are dealing with the problem of how you verify the identity of a person over the telephone sufficiently to discuss non-directory/confidential information with them. Do you require the person to supply specific data about themselves? If so, what data? Do you have challenge questions/responses on file that you use to verify identity? How are other schools dealing with the problem? We currently don't have a standard method to verify identity. We have tossed around some ideas like: 1. Is the student ID sufficient? Is the student ID similar to the SSN in that we can't use it for identification either because of FERPA? 2. Is the birthdate sufficient? Facebook makes this information readily available. A doctor's office tends to use this to verify identity over the phone. 3. Is the student ID and the birthdate sufficient? 4. It is our impression that we can't use the social security number or even part of it because of FERPA. 5. Do you call the person back at a telephone number recorded for that person in our administrative database? 6. Do you use caller ID to verify that the person is calling from a number recorded for that person in the administrative database? Caller ID can be forged. 7. Do you generate a random number, display it to the person answering the phone, send the random number to the person through email and then require the person to give you the random number? -- Brother Kenneth Arnold Director of Network Systems Christian Brothers University Memphis, TN (901) 321-4333
Current thread:
- Telephone Verification of Identity Kenneth Arnold (Mar 19)
- <Possible follow-ups>
- Re: Telephone Verification of Identity Tonkin, Derek K. (Mar 20)
- Re: Telephone Verification of Identity Irish, Adrian L (Mar 20)
- Re: Telephone Verification of Identity Matthew Giannetto (Mar 20)