Re: Risk of using SS#s (last 4 digits) for authentication

[Andy Cowan]

How many help desk techs do you have, is the real question. Every person who has access to any part of employee SSNs is a potential risk for identity theft and fraud.
Suggestions for alternatives:

1) Use another number
2) If you must use part of the SSN, consider setting up an app where the help desk tech types in the employee name/number and last four digits of SSN, and the app checks these against a database that the tech does not have direct access to. Either it's valid or it's not. That way only the people who maintain your HR database, who will need to have access to employee SSNs anyway, have access to them. For that matter, you could have this app on an internal server that the employees could access directly. Need your password reset? Just open up this here web app (which, naturally, should not be accessible from the net at large if it's for internal purposes), type in your name, employee ID number, and/or SSN, and either it will authenticate and reset your password or tell you that you got something wrong. n incorrect attempts results in a temp. lockout from the app, etc. Of course, this doesn't work if employees have to log onto their workstations using that same password.
3) Make people go to the help desk in person and present ID for a password reset. It's always harder to commit fraud in person.

Andy