You know, maybe I'm paranoid/delusional, but I'd never use SSN (or part thereof) or birth date as authenticators.
First of all, I believe that the SSN _should_ be highly private and restricted information. The only people who should be able to access this data are HR people with a need to know. Also, consider this: how much can you reasonably trust your help desk staff? Aren't these staff the most likely and susceptible targets for "social engineering" in your IT organization? Second of all, the reality is that most people are just too casual about disclosing their SSN and birth date for me to have any confidence that possession of these facts are reasonable proof of identity. Anytime you try to talk to any vendor about your account you are forced to supply some combination of your SSN (or the last 4 characters), and your birth date, phone number, address, and/or zip code. Don't you think the hackers know this? How long do you think it would take a hacker to social engineer this info? I believe that password changes should be done in person. If this is impossible, the help desk should call-back the user at his "of record" office, home or cellular phone number with 1/2 the new password, and then call that user's supervisor with the other half. Presumably, the supervisor would know his employee sufficiently to be able to determine authenticity before supplying the second half of the new password. The new password would be good for one use, at which time the user would pick his own, new password. -- Mark
