How about simply adding the users' pager/mobile to his account metadata,
and pushing out the new password as a text message on request ?
[EMAIL PROTECTED] wrote:
>Date: 12 July 2002
> To: I0001089 EXTERNAL
>From: John Hanson GBSAFE00 SFWY2-3, atrium SW
>
>Subject: RE: Methods for distributing passwor
>
>Problem with this solution alone is the potential breach of segregation
>of duties. ie: where high value/risk activities are controlled by having
>employees only Requisition a change and Supervisors only Authorise.
>
>Giving employee password to Supervisor allows them to Requisition as well
>without the risk of involving the employee in collusion.
>
>--------------------------------------------------------------------------
>
> Date: July 12, 2002
> From: Burton M. Strauss III {SMTP:[EMAIL PROTECTED] -
>EXTERNAL
> To: [EMAIL PROTECTED] -
> cc: [EMAIL PROTECTED] -
> Subject: RE: Methods for distributing password change info to disconn
>------------------------------------------------------------
>One way to do this is to push it out to the direct supervisor.
>
>I.e. user x calls in, you perform some validation and then send the new
>password (securely) to their direct supervisor.
>
>User then has to contact the supervisor to retrieve the new password.
>Which, of course, you then force them to change.
>
>It tends to make people remember password (or write them down, but that's
>another issue), since there is nothing quite like calling your boss and
>giving him/her a brass plated opportunity to remind you how stupid you are.
>Besides, that's the one individual in the organization who probably CAN
>reliably id somebody.
>
>-----Burton
>
>-----Original Message-----
>From: Led Slinger {mailto:[EMAIL PROTECTED]}
>Sent: Thursday, July 11, 2002 10:24 AM
>To: [EMAIL PROTECTED]
>Subject: Methods for distributing password change info to disconnected
>users
>
>
>Looking to see if anyone has a new and unique trick for distributing
>passwords to users that request to have their password reset remotely.
>I am basically referring to Enterprise Directory passwords. We have
>many users in many locations around the globe and it is not practical to
>hand carry every password to a user when she/he forgets theirs. Since
>Email is tied to ED as well, we cannot provide the password through that
>system and the fact that not all of our sales force and consultants have
>voicemail, it makes it difficult to distribute it to them that way as
>well. We have a 24x7 Call Center but then you run into the problem of
>trying to authenticate voices over the phone. and with 7000+ possible
>voices probably not feasible either. We've thought about obscure web
>links that are one time use but it comes right back to authenticating
>the individual that is calling. We've even considered using some type
>of token device with the thought that providing them a password over the
>phone would be fairly safe if the corporate authentication were
>two-factor, but if I copped a briefcase with the business cards and
>token inside, I could probably devise a social engineering plot to get
>in. Am I simply trying to hard to cover every conceivable issue that
>MAY arise or is there a better, cheaper, and equally effective plan out
>there.
>
>Thanks in advance for any help you can provide
>
>Leds!
>
>--
>There's nothing wrong with Windows until you install it........
>
>
>
>
> John Hanson
> Information Security
>
>
>
>****************************************************************************
>* Unencrypted electronic mail is not secure and may not be authentic. *
>* If you have any doubts as to the contents please telephone to confirm. *
>* The information contained in this message is confidential and is *
>* intended for the addressee(s) only. If you have received this message in *
>* error or there are any problems, please notify the originator *
>* immediately. The unauthorised use, disclosure, copying or alteration of *
>* this message is strictly forbidden. Opinions, conclusions and other *
>* information expressed in this message are not given or endorsed by *
>* Safeway unless otherwise indicated by an authorised representative *
>* independent of this message. *
>****************************************************************************
>
>
