Re: remote authentication

[Abe Getchell <me () abegetchell com>]

> what you mentioned is possible. however you can say the same of
> helpdesk that will be resetting the password. what is stopping them to
> use the password to access the records before setting the "force
> change on next logon flag"? what is stopping the user from claiming
> that the helpdesk accessed the sensitive information prior to sending
> him/her the password?

Well normally, outside of the situation being discussed, the best answer
is usually any one of the numerous products that do self-service
password resets using a local application, internal website, etc. The
technology (somewhat adequately) described here:

http://en.wikipedia.org/wiki/Self-service_password_reset

A network-based technology utilizing a self-service password reset
technology won't work for the original poster as his users don't have
network access. An automated phone system to authenticate personal
information and reset passwords would, however. IMO, that's pretty much
going to be the best (although not the cheapest) solution to this whole
problem. It also addresses the specific issue I mentioned, by not
establishing a chain of accountability.

> Remember Security not just tagging a PGP signature to the bottom of an email.

Thanks for that. =)

-  
Abe Getchell
me () abegetchell com
http://abegetchell.com/