RE: How to authentificate an user via telephon?

["Brian Cook" <BrianM.Cook () trcinc com>]

most corporate helpdesks i'm aware of have used either the user's
employee number or, where applicable, badge/ID number. where i am, i
have the luxury of knowing my coworkers by sight and voice, so when they
ask me for a reset, i know who i'm dealing with. (advances in cloning
technology may obsolete this method, however...)

my personal preference is to establish with the user a confirmation
code/phrase which is tied to their login (stored in an IT-only database
or tied into active direcotry's structure). somewhat analogous to
another poster's "security question" used with ISPs. 

as a very last resort, faxing identification would work as well, though
it'd be tedious and a lot more hassle than the above method. 

cheers,
--bmc

-----Original Message-----
From: Robert Sieber [mailto:rsieber () web de] 
Sent: Tuesday, December 03, 2002 7:50 PM
To: security-basics () lists securityfocus com
Subject: How to authentificate an user via telephon?


Hello colleauges,

imaging the following situation:

User calls the helpdesk to reset/alter some kind
of account-password (NT, RAS, PKI-PIN ...) and you 
has to determin wheter the user is the correct 
(owner of the account) user. What would you do
to authentificate the users identity?

What are good methodes to do this? It should be
easy for the user but secure for the administration.


Robert

-- 
http://board.protecus.de - Firewalls, Security and more ...