On 12/21/2011 3:03 PM, Adam Levin wrote:
On Wed, 21 Dec 2011, Evan Pettrey wrote:
If a user calls into your help desk because they are locked out of their
account or need a password reset, how do you verify their identity? I'm
looking for some best practices here.
I've typically seen security questions work in these cases. You can
ask for a PIN, a "mother's maiden name" type of question (best if you
let them pick their own question/answer pair), or have them verify an
employee ID or information like mailing address or other employment
information.
Of course, this all requires that the help desk have some access to a
database of information on each employee.
Another option, depending on how secure you want to be, is to have the
helpdesk call the person back at a known phone number. It's still
possible that an imposter found the employee's cell phone, of course.
This is good, until the known good phone number becomes unknown.... The
company I work for has about three places where our phone number could
be, and they are not all linked. So, when I recently called the
helpdesk, my number wasn't in the system they use for verification and
call back. They actually had to get my manager on the phone, because
they did have his number, and he had to vouch for my voice. Having the
ability to call someone else as additional verification is always helpful.
-spp
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
