Re: How to authentificate an user via telephon?

From: Valter Santos (
Date: 12/05/02

  • Next message: Art Tarsha: "RE: How to authentificate an user via telephon?"
    From: Valter Santos <>
    To: Gene Barlow <>
    Date: 05 Dec 2002 17:55:10 +0000

    Hello Gene,

    but that sollution will fail for a person-target attack... I can find
    with little effort the ssn & birthdate of a target person and pretend to
    be her/he.

    I suppose the callback sollution is better, althought as it flaws 8-(


    On Wed, 2002-12-04 at 17:27, Gene Barlow wrote:
    > Robert,
    > Currently, I'm in the process of getting approval on a new procedure
    > for doing just that. If approved, we'll write a script that will query
    > the last 4 digits of the users ssn & birthdate against our ERP software.
    > So, for instance, if John Doe calls and requests a password change,
    > we'll ask for the last 4 digits of the ssn and their birthdate, type it
    > in the script, and see if that user's name is returned in the response.
    > If so, we know (hopefully) that the user is who he says he is...
    > Hope this helps...
    > Gene...
    > Robert Sieber wrote:
    > >Hello colleauges,
    > >
    > >imaging the following situation:
    > >
    > >User calls the helpdesk to reset/alter some kind
    > >of account-password (NT, RAS, PKI-PIN ...) and you
    > >has to determin wheter the user is the correct
    > >(owner of the account) user. What would you do
    > >to authentificate the users identity?
    > >
    > >What are good methodes to do this? It should be
    > >easy for the user but secure for the administration.
    > >
    > >
    > >Robert
    > >

    Valter Santos                         |||          (@ @)                 

    Relevant Pages