On Wed, 21 Dec 2011, Evan Pettrey wrote:
If a user calls into your help desk because they are locked out of their account or need a password reset, how do you verify their identity? I'm looking for some best practices here.
I've typically seen security questions work in these cases. You can ask for a PIN, a "mother's maiden name" type of question (best if you let them pick their own question/answer pair), or have them verify an employee ID or information like mailing address or other employment information.
Of course, this all requires that the help desk have some access to a database of information on each employee.
Another option, depending on how secure you want to be, is to have the helpdesk call the person back at a known phone number. It's still possible that an imposter found the employee's cell phone, of course.
-Adam _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
