Evan Pettrey <[email protected]> wrote: > Good afternoon LOPSA, > > We're currently investigating ways to further tighten security at $job and one > of the things I'd like to harden is the way we verify people are who they say > they are over the phone. > > > If a user calls into your help desk because they are locked out of their > account or need a password reset, how do you verify their identity? I'm > looking > for some best practices here.
If they are not on campus, then we will consider doing password resets remotely. We have them fax or email a scan of a government-issued photo ID and provide a call-back number. That won't stop a targetted attack, but if they are who they say they are, they can scan their ID or take a picture on their phone and send it in about 5 minutes. 10 to be generous. If it takes them several hours to do that, and they don't have a good explanation of why, then I might suspect a photoshop session. Of course, in our case the remote users also usually don't have much at risk -- a courtesy account that has few files and limited access, or in the case of alumni, an account with an old web page and their homework from several years before... and most likely the email address they use to send us the scan is somewhat obviously theirs. --david David Parter Director of Academic Computing Facilities University of Wisconsin Computer Sciences Department [email protected] 608-262-0608 _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
