Security Basics mailing list archives
RE: remote authentication
From: "Eric Pinkerton" <EPinkerton () soulaustralia com au>
Date: Thu, 13 Mar 2008 13:35:20 +1100
There are many products out there that claim to be reliable enough to use voice recognition as a second factor, and who boast some pretty impressive clients - http://www.voicevault.com/ is just one example. It is my impression (and I may be wrong) that these are adopted mainly to solve problems with resourcing rather than security, and I would guess that is a cost related consideration. Normal best practice is to send the password 'out of band', so either by calling them back on a mobile you have listed in the GAL, or a home phone, or as someone suggested leaving them a vmail on their work phone. Yes users can be placed under duress, but in this case almost every system is flawed, and reseting a password for someone who has a gun to their head is the last of your problems. Interestingly enough, some voice auth recognition systems claim to be able to detect the user being under duress! How many Tom Clancy novels the marketing dept has read could be a contributing factor on this though.... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lovena J Reddi Sent: Thursday, March 13, 2008 6:48 AM To: 'Worrell, Brian'; 'Jacob Jennings'; 'Juan B'; security-basics () securityfocus com Subject: RE: remote authentication My main problem is how to identify that it's the user who is asking me to reset his password. As voice recognition is not adequate despite I will ask user about the secret question. But I don't have that system in place. And also I can I be sure it's the users itself textin it to me. As someone can steal it n make use or under threat my user can give the necessary information which the theft can make use of and call me or text me. Any other option. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Worrell, Brian Sent: Wednesday, March 12, 2008 11:28 PM To: Lovena J Reddi; Jacob Jennings; Juan B; security-basics () securityfocus com Subject: RE: remote authentication So the users would call you, and over the network, you would change the password of their device? What about a one time password system to Auth them? Say it texts it to a phone on record, and then they verify it with you over the call? -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lovena J Reddi Sent: Wednesday, March 12, 2008 3:11 PM To: 'Jacob Jennings'; 'Juan B'; security-basics () securityfocus com Subject: remote authentication Hi I need to develop a process about remote authentication. I am looking a way where I can reset someone password while being at client side n not connecting over my network. In fact I have safeboot installed on all machines and if a user report that his safeboot account is disabled, I need to reset it but before that I need to recognize that person. Since voice recognition is not considered as adequate, I need to develop a process to authenticate remote callers which will include combination of personal information and one key question/answer. Anyone can help me out to find an appropriate way beside voice. Note that this person will call for resetting password.
Current thread:
- RE: remote authentication Eric Pinkerton (Mar 13)
- RE: remote authentication Worrell, Brian (Mar 13)