Educause Security Discussion mailing list archives

Re: Telephone Verification of Identity

From: "Tonkin, Derek K." <Derek_Tonkin () BAYLOR EDU>
Date: Fri, 20 Mar 2009 10:05:01 -0500

I don't have any answers but I would be very interested in this as well.  I believe that our helpdesk has some policies 
in place for this and will see what they are but I doubt that they would meet our needs in the security group.  
Presently we use a combination of phone numbers on file and caller ID but I would be interested in a better practice.

-------------Baylor University-------------
Derek Tonkin
Information Security Analyst
Information Technology Services - Security
derek_tonkin () baylor edu        254-710-7061
---------------Sic 'em Bears---------------

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kenneth 
Arnold
Sent: Thursday, March 19, 2009 8:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Telephone Verification of Identity

We are dealing with the problem of how you verify the identity of a 
person over the telephone sufficiently to discuss 
non-directory/confidential information with them.

Do you require the person to supply specific data about themselves?  If 
so, what data?
Do you have challenge questions/responses on file that you use to verify 
identity?
How are other schools dealing with the problem?

We currently don't have a standard method to verify identity.  We have 
tossed around some ideas like:
1.  Is the student ID sufficient?  Is the student ID similar to the SSN 
in that we can't use it for identification either because of FERPA?
2.  Is the birthdate sufficient?  Facebook makes this information 
readily available. A doctor's office tends to use this to verify 
identity over the phone.
3.  Is the student ID and the birthdate sufficient?
4.  It is our impression that we can't use the social security number or 
even part of it because of FERPA.
5.  Do you call the person back at a telephone number recorded for that 
person in our administrative database?
6.  Do you use caller ID to verify that the person is calling from a 
number recorded for that person in the administrative database?  Caller 
ID can be forged.
7.  Do you generate a random number, display it to the person answering 
the phone, send the random number to the person through email and then 
require the person to give you the random number?


--
Brother Kenneth Arnold
Director of Network Systems
Christian Brothers University
Memphis, TN
(901) 321-4333

Current thread:

Telephone Verification of Identity Kenneth Arnold (Mar 19)
- <Possible follow-ups>
- Re: Telephone Verification of Identity Tonkin, Derek K. (Mar 20)
- Re: Telephone Verification of Identity Irish, Adrian L (Mar 20)
- Re: Telephone Verification of Identity Matthew Giannetto (Mar 20)