Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to authentificate an user via telephon?

From: J.Reilink <digiover () dsinet org>
Date: Wed, 4 Dec 2002 22:48:33 +0100
----- Original message -----
On Tue, 3 Dec 2002 19:50:10 +0100
"Robert Sieber" <rsieber () web de> wrote in message
<BBENJKHLDJKKOGPHEIOEKEGLCIAA.rsieber () web de>:


Hello colleauges,

imaging the following situation:

User calls the helpdesk to reset/alter some kind
of account-password (NT, RAS, PKI-PIN ...) and you 
has to determin wheter the user is the correct 
(owner of the account) user. What would you do
to authentificate the users identity?

What are good methodes to do this? It should be
easy for the user but secure for the administration.



I work on a hel(l)pdesk and we do it like this:
Rightfull customers always have their "ordernumber" on paper, they need
to tell us this numberthrough the phone before we can give them their
password. If they don't have this number, we call the registered
contactperson on the registered contact phonenumber (person not present
we call back an half hour later).

We won't easily email passwords, if we have to (and the user is
authenticated by the "ordernumber") we sent in an empty email to the
registered emailaddress. Only the user knows what that one word in the
email is for, even if someone else intercepts the email, he doesn't know
for what domainname and/or emailaddress it is.

The rightfull customer always has the opertunity to change his data
(contact person, emailaddres, phonenumber), in case he moves or
something (it's his responsibility).

Regards, Jan

-- 
/"\  ASCII Ribbon Campaign
\ /  No HTML in mail or news!
 X
/ \             DSINet: http://www.dsinet.org
Previous By Date Next
Previous By Thread Next

Current thread: