most corporate helpdesks i'm aware of have used either the user's employee number or, where applicable, badge/ID number. where i am, i have the luxury of knowing my coworkers by sight and voice, so when they ask me for a reset, i know who i'm dealing with. (advances in cloning technology may obsolete this method, however...)
my personal preference is to establish with the user a confirmation code/phrase which is tied to their login (stored in an IT-only database or tied into active direcotry's structure). somewhat analogous to another poster's "security question" used with ISPs. as a very last resort, faxing identification would work as well, though it'd be tedious and a lot more hassle than the above method. cheers, --bmc -----Original Message----- From: Robert Sieber [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: How to authentificate an user via telephon? Hello colleauges, imaging the following situation: User calls the helpdesk to reset/alter some kind of account-password (NT, RAS, PKI-PIN ...) and you has to determin wheter the user is the correct (owner of the account) user. What would you do to authentificate the users identity? What are good methodes to do this? It should be easy for the user but secure for the administration. Robert -- http://board.protecus.de - Firewalls, Security and more ...
