I also work in the Financial area so I understand your concerns. In the past, we have made the employee's supervisor make the call to request the change. Then the password was emailed to the supervisor, not the employee. The supervisor (as an agent of the corporation) has the right to request a password change at any time so there was no privacy concerns and as it was emailed back to the supervisor, we knew only the supervisor would get the response. This also has a nice side effect of having users be more careful with their passwords, they want as little involvement from their supervisors as possible. It significantly cut down on calls. It can become difficult and you will get some complaints from supervisors, but all in all it was more effective than nothing. The company that instituted this system is still using it as far as I know. I have moved on to other ventures.
>>> "Robert Sieber" <[EMAIL PROTECTED]> 12/4/2002 1:50:54 PM >>> Thanks for all replies! For me it ist a very hard question because I don't know where all of the up to 20.000 clients are located - there are also RAS users with tokens ode PKI chipcards. The other problem is that all clients are employed by bank institutes and so passwords are more critical than in other cases I thought about th following procedurs: - help desk has two telephone numbers - the client will get a call back from help desk Well, lets see. Robert > -----Ursprungliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Gesendet: Mittwoch, 4. Dezember 2002 18:43 > An: Robert Sieber; [EMAIL PROTECTED] > Betreff: RE: How to authentificate an user via telephon? > > > Robert, > > In a past life we would send the new password to a known email address > for the person whose account is reset. If email is not available we > would leave the reset password on the users voice mail. Both systems > would only be accessible by the person whose account is reset. If > someone other than the owner of the account requests a reset, the > account is still safe, assuming email and vmail are secure. > > Bryan > > -----Original Message----- > From: Robert Sieber [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 03, 2002 12:50 PM > To: [EMAIL PROTECTED] > Subject: How to authentificate an user via telephon? > > Hello colleauges, > > imaging the following situation: > > User calls the helpdesk to reset/alter some kind > of account-password (NT, RAS, PKI-PIN ...) and you > has to determin wheter the user is the correct > (owner of the account) user. What would you do > to authentificate the users identity? > > What are good methodes to do this? It should be > easy for the user but secure for the administration. > > > Robert > > -- > http://board.protecus.de - Firewalls, Security and more ... > > > > >
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2800.1126" name=GENERATOR></HEAD> <BODY style="MARGIN-TOP: 2px; FONT: 10pt Microsoft Sans Serif; MARGIN-LEFT: 2px">I also work in the Financial area so I understand your concerns. In the past, we have made the employee's supervisor make the call to request the change. Then the password was emailed to the supervisor, not the employee. The supervisor (as an agent of the corporation) has the right to request a password change at any time so there was no privacy concerns and as it was emailed back to the supervisor, we knew only the supervisor would get the response. This also has a nice side effect of having users be more careful with their passwords, they want as little involvement from their supervisors as possible. It significantly cut down on calls. It can become difficult and you will get some complaints from supervisors, but all in all it was more effective than nothing. The company that instituted this system is still using it as far as I know. I have moved on to other ventures.<BR><BR>>>> "Robert Sieber" <[EMAIL PROTECTED]> 12/4/2002 1:50:54 PM >>><BR>Thanks for all replies! <BR><BR>For me it ist a very hard question because I don't <BR>know where all of the up to 20.000 clients are <BR>located - there are also RAS users with tokens<BR>ode PKI chipcards. The other problem is that all<BR>clients are employed by bank institutes and so <BR>passwords are more critical than in other cases<BR><BR>I thought about th following procedurs:<BR><BR>- help desk has two telephone numbers<BR>- the client will get a call back from help<BR>desk<BR><BR>Well, lets see.<BR><BR>Robert<BR><BR>> -----Ursprungliche Nachricht-----<BR>> Von: [EMAIL PROTECTED] [<A href="mailto:[EMAIL PROTECTED]]";>mailto:[EMAIL PROTECTED]]</A><BR>> Gesendet: Mittwoch, 4. Dezember 2002 18:43<BR>> An: Robert Sieber; [EMAIL PROTECTED]<BR>> Betreff: RE: How to authentificate an user via telephon?<BR>> <BR>> <BR>> Robert,<BR>> <BR>> In a past life we would send the new password to a known email address<BR>> for the person whose account is reset. If email is not available we<BR>> would leave the reset password on the users voice mail. Both systems<BR>> would only be accessible by the person whose account is reset. If<BR>> someone other than the owner of the account requests a reset, the<BR>> account is still safe, assuming email and vmail are secure.<BR>> <BR>> Bryan<BR>> <BR>> -----Original Message-----<BR>> From: Robert Sieber [<A href="mailto:[EMAIL PROTECTED]]";>mailto:[EMAIL PROTECTED]]</A> <BR>> Sent: Tuesday, December 03, 2002 12:50 PM<BR>> To: [EMAIL PROTECTED]<BR>> Subject: How to authentificate an user via telephon?<BR>> <BR>> Hello colleauges,<BR>> <BR>> imaging the following situation:<BR>> <BR>> User calls the helpdesk to reset/alter some kind<BR>> of account-password (NT, RAS, PKI-PIN ...) and you <BR>> has to determin wheter the user is the correct <BR>> (owner of the account) user. What would you do<BR>> to authentificate the users identity?<BR>> <BR>> What are good methodes to do this? It should be<BR>> easy for the user but secure for the administration.<BR>> <BR>> <BR>> Robert<BR>> <BR>> -- <BR>> <A href="http://board.protecus.de";>http://board.protecus.de</A> - Firewalls, Security and more ...<BR>> <BR>> <BR>> <BR>> <BR>> <BR><BR></BODY></HTML>
