At our organization we call the user back at the phone number listed in our master records
and ask a "challenge" question - such as mothers maiden name, etc. Seems to work fine. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Eric Cleereman (IT) Sent: Thursday, October 30, 2008 10:42 AM To: [email protected] Subject: Process: Verifying a user's identity for password resets ** Hi All, Currently our service desk takes calls from internal customers who need their passwords reset. To be in compliance with various initiatives, they'd like a way to validate a user's identity. Basically they want to prevent Bob from calling in, having John's password reset, then gaining access to John's stuff. Methods which aren't working for them are: * Email from person's manager - Requires involvement from an additional person, who may not be available, potentially delaying a password reset which is needed immediately. * Phone extension - Any caller could potentially call from another user's phone, or a phone not in our database, such as a cell phone. * Last 4 of an person's SSN - Can be used to falsely verify a person's identity for credit applications, etc... * Payroll Employee ID - ID is viewable by too many groups right now, with no auditing to establish who specifically has viewed this. Many employee's are not aware of their IDs. Temps don't have payroll employee IDs. * Date of Birth - Can be used in conjunction with a person's name to generate a DL# in many states, using a publicly available algorithm. * User selected question (first pet, favorite color, mother's maiden name, etc) - Does not currently exist, and would require user involvement prior to their password having been locked. I'm sure others have ran into this problem, and I am wondering how your Service Desks authenticate their customer's identities. Eric Cleereman __Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" html___ Portions of this message may be confidential under an exemption to Ohio's public records law or under a legal privilege. If you have received this message in error or due to an unauthorized transmission or interception, please delete all copies from your system without disclosing, copying, or transmitting this message. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
