Hello Gene, but that sollution will fail for a person-target attack... I can find with little effort the ssn & birthdate of a target person and pretend to be her/he.
I suppose the callback sollution is better, althought as it flaws 8-( cheers, /valter On Wed, 2002-12-04 at 17:27, Gene Barlow wrote: > Robert, > > Currently, I'm in the process of getting approval on a new procedure > for doing just that. If approved, we'll write a script that will query > the last 4 digits of the users ssn & birthdate against our ERP software. > So, for instance, if John Doe calls and requests a password change, > we'll ask for the last 4 digits of the ssn and their birthdate, type it > in the script, and see if that user's name is returned in the response. > If so, we know (hopefully) that the user is who he says he is... > > Hope this helps... > Gene... > > Robert Sieber wrote: > > >Hello colleauges, > > > >imaging the following situation: > > > >User calls the helpdesk to reset/alter some kind > >of account-password (NT, RAS, PKI-PIN ...) and you > >has to determin wheter the user is the correct > >(owner of the account) user. What would you do > >to authentificate the users identity? > > > >What are good methodes to do this? It should be > >easy for the user but secure for the administration. > > > > > >Robert > > > -- ---..---..---..---..---..---..---..---..---..---..---..---..---- Valter Santos [EMAIL PROTECTED] ||| http://devfusion.net/~vsantola/keys/ (@ @) ------------------------------------------oOO--(_)--OOo---------
signature.asc
Description: This is a digitally signed message part
