Re: Authentication of remote users

[Kees Leune <LEUNE () ADELPHI EDU>]

> > > On 1/3/2008 at 12:54 PM, in message <01MPNK1PXU5Y8ZE3RK () cc usu edu>, Bob Bayn
<Bob.Bayn () USU EDU> wrote:

> > Lets say you have a user that:
> >
> > 1) forgot their password
> > 2) forgot their answers to their secret question(s)
> > 3) is traveling making visiting the helpdesk impossible
> >
> > Lets also say asking for last four digits of SSN is
> > not allowed.
> >
> > How do you authenticate the identity of the user and
> > allow them to change their password?
>
> We require a familiar voice on the phone, possibly 
> involving an on-campus co-worker.  For instance,
> Prof X calls from Ublickistan to his dept secretary
> Sally who makes a conference call to the ServiceDesk.
> The phone at the servicedesk shows that the call
> is from sally's office and we know sally because
> she calls us several times a week with computer 
> problems.

How do you go about authenticating students with lost credentials? Obviously, the known-coworker approach does not work 
there. We are now considering letting them register an alternative email address to which we will send a one-time use 
password reset token.

Thanks,
-Kees