AW: How to authentificate an user via telephon?

From: Robert Sieber (rsieber@web.de)
Date: 12/04/02

  • Next message: Sarbjit Singh Gill: "RE: Preventing DHCP from allocating IPs" 
    From: "Robert Sieber" <rsieber@web.de>
To: <security-basics@lists.securityfocus.com>
Date: Wed, 4 Dec 2002 19:50:54 +0100

    Thanks for all replies!

    For me it ist a very hard question because I don't
    know where all of the up to 20.000 clients are
    located - there are also RAS users with tokens
    ode PKI chipcards. The other problem is that all
    clients are employed by bank institutes and so
    passwords are more critical than in other cases

    I thought about th following procedurs:

    - help desk has two telephone numbers
    - the client will get a call back from help
    desk

    Well, lets see.

    Robert

    > -----Ursprungliche Nachricht-----
    > Von: bsm14096@ad.creighton.edu [mailto:bsm14096@ad.creighton.edu]
    > Gesendet: Mittwoch, 4. Dezember 2002 18:43
    > An: Robert Sieber; security-basics@lists.securityfocus.com
    > Betreff: RE: How to authentificate an user via telephon?
    >
    >
    > Robert,
    >
    > In a past life we would send the new password to a known email address
    > for the person whose account is reset. If email is not available we
    > would leave the reset password on the users voice mail. Both systems
    > would only be accessible by the person whose account is reset. If
    > someone other than the owner of the account requests a reset, the
    > account is still safe, assuming email and vmail are secure.
    >
    > Bryan
    >
    > -----Original Message-----
    > From: Robert Sieber [mailto:rsieber@web.de]
    > Sent: Tuesday, December 03, 2002 12:50 PM
    > To: security-basics@lists.securityfocus.com
    > Subject: How to authentificate an user via telephon?
    >
    > Hello colleauges,
    >
    > imaging the following situation:
    >
    > User calls the helpdesk to reset/alter some kind
    > of account-password (NT, RAS, PKI-PIN ...) and you
    > has to determin wheter the user is the correct
    > (owner of the account) user. What would you do
    > to authentificate the users identity?
    >
    > What are good methodes to do this? It should be
    > easy for the user but secure for the administration.
    >
    >
    > Robert
    >
    > --
    > http://board.protecus.de - Firewalls, Security and more ...
    >
    >
    >
    >
    >

    Relevant Pages

    • Re: AW: How to authentificate an user via telephon? :VSMail MX1
      ... know where all of the up to 20.000 clients are ... > would leave the reset password on the users voice mail. ... > would only be accessible by the person whose account is reset. ... > of account-password (NT, RAS, PKI-PIN ...) and you ...
      (Security-Basics)
    • Re: computer account passwords resets
      ... Perhaps, if a machine hasn't reset it's password in over a month, it might be safe to assume that machines account no longer exists, but I wouldn't do this if a machine didn't reset after a couple of days. ... > So all of the computer accounts that I have in AD whose passwords have not ... >> clients initiate the password change. ...
      (microsoft.public.win2000.active_directory)
    • Re: RE: How to authentificate an user via telephon?
      ... > Avatier has a product which would allow users to reset their own passwords ... > know where all of the up to 20.000 clients are ... >> for the person whose account is reset. ... >> would only be accessible by the person whose account is reset. ...
      (Security-Basics)
    • RE: Password disappears
      ... account password will be reset to empty automatic. ... SBS infected by Trojan horse. ... Configure account lockout policy. ...
      (microsoft.public.windows.server.sbs)
    • RE: Quick question on resetting computer accounts in AD
      ... and recreating the account. ... Is it okay to use the reset account function? ... SBS Server Management console does not have "Reset Account" command to ... In fact, the SBS Server Management console has already integrated ADUC, you ...
      (microsoft.public.windows.server.sbs)