I
also work in the Financial area so I understand your concerns. In the
past, we have made the employee's supervisor make the call to request the
change. Then the password was emailed to the supervisor, not the
employee. The supervisor (as an agent of the corporation) has the right to
request a password change at any time so there was no privacy concerns and as it
was emailed back to the supervisor, we knew only the supervisor would get the
response. This also has a nice side effect of having users be more careful
with their passwords, they want as little involvement from their supervisors as
possible. It significantly cut down on calls. It can become
difficult and you will get some complaints from supervisors, but all in all it
was more effective than nothing. The company that instituted this system
is still using it as far as I know. I have moved on to other
ventures.
>>> "Robert Sieber" <rsieber@web.de> 12/4/2002
1:50:54 PM >>>
Thanks for all replies!
For me it ist a very
hard question because I don't
know where all of the up to 20.000 clients are
located - there are also RAS users with tokens
ode PKI chipcards. The
other problem is that all
clients are employed by bank institutes and so
passwords are more critical than in other cases
I thought about th
following procedurs:
- help desk has two telephone numbers
- the
client will get a call back from help
desk
Well, lets
see.
Robert
> -----Ursprungliche Nachricht-----
> Von:
bsm14096@ad.creighton.edu [mailto:bsm14096@ad.creighton.edu]
>
Gesendet: Mittwoch, 4. Dezember 2002 18:43
> An: Robert Sieber;
security-basics@lists.securityfocus.com
> Betreff: RE: How to
authentificate an user via telephon?
>
>
> Robert,
>
> In a past life we would send the new password to a known email
address
> for the person whose account is reset. If email is not available
we
> would leave the reset password on the users voice mail. Both
systems
> would only be accessible by the person whose account is
reset. If
> someone other than the owner of the account requests a
reset, the
> account is still safe, assuming email and vmail are
secure.
>
> Bryan
>
> -----Original
Message-----
> From: Robert Sieber [mailto:rsieber@web.de]
> Sent: Tuesday,
December 03, 2002 12:50 PM
> To:
security-basics@lists.securityfocus.com
> Subject: How to authentificate
an user via telephon?
>
> Hello colleauges,
>
>
imaging the following situation:
>
> User calls the helpdesk to
reset/alter some kind
> of account-password (NT, RAS, PKI-PIN ...) and you
> has to determin wheter the user is the correct
> (owner of the
account) user. What would you do
> to authentificate the users
identity?
>
> What are good methodes to do this? It should
be
> easy for the user but secure for the administration.
>
>
> Robert
>
> --
> http://board.protecus.de - Firewalls,
Security and more ...
>
>
>
>
>