Hi All, Currently our service desk takes calls from internal customers who need their passwords reset. To be in compliance with various initiatives, they'd like a way to validate a user's identity. Basically they want to prevent Bob from calling in, having John's password reset, then gaining access to John's stuff.
Methods which aren't working for them are: * Email from person's manager - Requires involvement from an additional person, who may not be available, potentially delaying a password reset which is needed immediately. * Phone extension - Any caller could potentially call from another user's phone, or a phone not in our database, such as a cell phone. * Last 4 of an person's SSN - Can be used to falsely verify a person's identity for credit applications, etc... * Payroll Employee ID - ID is viewable by too many groups right now, with no auditing to establish who specifically has viewed this. Many employee's are not aware of their IDs. Temps don't have payroll employee IDs. * Date of Birth - Can be used in conjunction with a person's name to generate a DL# in many states, using a publicly available algorithm. * User selected question (first pet, favorite color, mother's maiden name, etc) - Does not currently exist, and would require user involvement prior to their password having been locked. I'm sure others have ran into this problem, and I am wondering how your Service Desks authenticate their customer's identities. Eric Cleereman _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"