RE: How to authentificate an user via telephon?

["Mark Medici" <mark () dbma com>]

You know, maybe I'm paranoid/delusional, but I'd never use SSN (or part thereof) or birth date as authenticators.  

First of all, I believe that the SSN _should_ be highly private and restricted information.  The only people who should 
be able to access this data are HR people with a need to know.  Also, consider this: how much can you reasonably trust 
your help desk staff?  Aren't these staff the most likely and susceptible targets for "social engineering" in your IT 
organization?

Second of all, the reality is that most people are just too casual about disclosing their SSN and birth date for me to 
have any confidence that possession of these facts are reasonable proof of identity.  Anytime you try to talk to any 
vendor about your account you are forced to supply some combination of your SSN (or the last 4 characters), and your 
birth date, phone number, address, and/or zip code.  Don't you think the hackers know this?  How long do you think it 
would take a hacker to social engineer this info?

I believe that password changes should be done in person.  If this is impossible, the help desk should call-back the 
user at his "of record" office, home or cellular phone number with 1/2 the new password, and then call that user's 
supervisor with the other half.  Presumably, the supervisor would know his employee sufficiently to be able to 
determine authenticity before supplying the second half of the new password.  The new password would be good for one 
use, at which time the user would pick his own, new password.

-- Mark