Hi All,
Currently our service desk takes calls from internal customers who need
their passwords reset. To be in compliance with various initiatives,
they'd like a way to validate a user's identity. Basically they want to
prevent Bob from calling in, having John's password reset, then gaining
access to John's stuff.
Methods which aren't working for them are:
* Email from person's manager - Requires involvement from an
additional person, who may not be available, potentially delaying a
password reset which is needed immediately.
* Phone extension - Any caller could potentially call from another
user's phone, or a phone not in our database, such as a cell phone.
* Last 4 of an person's SSN - Can be used to falsely verify a
person's identity for credit applications, etc...
* Payroll Employee ID - ID is viewable by too many groups right
now, with no auditing to establish who specifically has viewed this.
Many employee's are not aware of their IDs. Temps don't have payroll
employee IDs.
* Date of Birth - Can be used in conjunction with a person's name
to generate a DL# in many states, using a publicly available algorithm.
* User selected question (first pet, favorite color, mother's
maiden name, etc) - Does not currently exist, and would require user
involvement prior to their password having been locked.
I'm sure others have ran into this problem, and I am wondering how your
Service Desks authenticate their customer's identities.
Eric Cleereman
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
