Re: How to authentificate an user via telephon?

[Brad Arlt <arlt () cpsc ucalgary ca>]

On Tue, Dec 03, 2002 at 07:50:10PM +0100, Robert Sieber wrote:
> Hello colleauges,
>
> imaging the following situation:
>
> User calls the helpdesk to reset/alter some kind
> of account-password (NT, RAS, PKI-PIN ...) and you 
> has to determin wheter the user is the correct 
> (owner of the account) user. What would you do
> to authentificate the users identity?
>
> What are good methodes to do this? It should be
> easy for the user but secure for the administration.

You could have a passphrase book, and tell the user, "Your password
has been set to the next passphrase".

Some places that don't *really* care about security do the password
for when you call the support desk.  This is usually a pet's name,
birthday, or otherwise easily remembered crappy password.

This just leaves you with an account that has two passwords, one of
which is never going to change *and* is very likely the worst password
one would ever want to pick.

If they ask you to reset only one of the passwords, then they still
know the rest.  They could provide authentication on another service
to alter their password on the requested service.

Our "easy for the user" is they show up at the help desk with their
University ID (I work for a University).  A pain in the butt for folks
out of town, but oh well.  The "I am really who I say I am" identity
claim over the phone, just doesn't work...  Not even if "I *Really* am
who I say I am".

-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         I should be biking right now.   Computer Science