RE: remote authentication

["Worrell, Brian" <BWorrell () isdh IN gov>]

Only down side to the voicemail thing, is that users tend to use Dates
of importance as their password, and even on systems that require you
change it on an interval, they find a way to use the same one over or
just change it from 0 to 1 as the leading digit.

Without thinking about it, I have got several peoples voicemail
passwords, used to do it as a training session point.  Imagine their
surprise when I crack it, with only knowing them for a few minutes.

One Time passwords are becoming common place now, but the number must be
on record normally.  So I call in from my home phone (or desk), ask that
you reset my password.  You verify my user name, then send a password
via text to the cell on record, where the password requires to be
changed on first login.  Not perfect mind you, but cheaper than an
expensive voice service.

Another thought would be to have a "security" person at the site, who's
voice you can verify.  End user calls, you verify user name again, then
call the "security" person, give them the temp password.  Again
requiring change on first login.

Issue is that no matter what, unless they come in person, any system can
be adverted.

Just my two copper pieces...... 

-----Original Message-----
From: Eric Pinkerton [mailto:EPinkerton () soulaustralia com au] 
Sent: Wednesday, March 12, 2008 10:35 PM
To: Lovena J Reddi; Worrell, Brian; Jacob Jennings; Juan B;
security-basics () securityfocus com
Subject: RE: remote authentication

There are many products out there that claim to be reliable enough to
use voice recognition as a second factor, and who boast some pretty
impressive clients - http://www.voicevault.com/ is just one example.

It is my impression (and I may be wrong) that these are adopted mainly
to solve problems with resourcing rather than security, and I would
guess that is a cost related consideration. 

Normal best practice is to send the password 'out of band', so either by
calling them back on a mobile you have listed in the GAL, or a home
phone, or as someone suggested leaving them a vmail on their work phone.

Yes users can be placed under duress, but in this case almost every
system is flawed, and reseting a password for someone who has a gun to
their head is the last of your problems.

Interestingly enough, some voice auth recognition systems claim to be
able to detect the user being under duress!

How many Tom Clancy novels the marketing dept has read could be a
contributing factor on this though....

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Lovena J Reddi
Sent: Thursday, March 13, 2008 6:48 AM
To: 'Worrell, Brian'; 'Jacob Jennings'; 'Juan B';
security-basics () securityfocus com
Subject: RE: remote authentication

My main problem is how to identify that it's the user who is asking me
to reset his password.  As voice recognition is not adequate despite I
will ask user about the secret question.

But I don't have that system in place. And also I can I be sure it's the
users itself textin it to me.  As someone can steal it n make use or
under threat my user can give the necessary information which the theft
can make use of and call me or text me.

Any other option.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Worrell, Brian
Sent: Wednesday, March 12, 2008 11:28 PM
To: Lovena J Reddi; Jacob Jennings; Juan B;
security-basics () securityfocus com
Subject: RE: remote authentication

So the users would call you, and over the network, you would change the
password of their device? 

What about a one time password system to Auth them?  Say it texts it to
a phone on record, and then they verify it with you over the call? 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Lovena J Reddi
Sent: Wednesday, March 12, 2008 3:11 PM
To: 'Jacob Jennings'; 'Juan B'; security-basics () securityfocus com
Subject: remote authentication

Hi

 

I need to develop a process about remote authentication. I am looking a
way where I can reset someone password while being at client side n not
connecting over my network.

 

In fact I have safeboot installed on all machines and if a user report
that his safeboot account is disabled, I need to reset it but before
that I need to recognize that person.

 

Since voice recognition is not considered as adequate, I need to develop
a process to authenticate remote callers which will include combination
of personal information and one key question/answer.

 

Anyone can help me out to find an appropriate way beside voice.  Note
that this person will call for resetting password.