That seems rather insecure. What if (s)he's left the mobile somewhere and
didn't realize it? Someone could pick it up and then would have the
password.
----- Original Message -----
From: "Johan De Meersman" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, July 15, 2002 10:01 AM
Subject: Re: Methods for distributing pas
> How about simply adding the users' pager/mobile to his account metadata,
> and pushing out the new password as a text message on request ?
>
> [EMAIL PROTECTED] wrote:
>
> >Date: 12 July 2002
> > To: I0001089 EXTERNAL
> >From: John Hanson GBSAFE00 SFWY2-3, atrium
SW
> >
> >Subject: RE: Methods for distributing passwor
> >
> >Problem with this solution alone is the potential breach of segregation
> >of duties. ie: where high value/risk activities are controlled by having
> >employees only Requisition a change and Supervisors only Authorise.
> >
> >Giving employee password to Supervisor allows them to Requisition as well
> >without the risk of involving the employee in collusion.
> >
>
>--------------------------------------------------------------------------
> >
> > Date: July 12, 2002
> > From: Burton M. Strauss III {SMTP:[EMAIL PROTECTED] -
> >EXTERNAL
> > To: [EMAIL PROTECTED] -
> > cc: [EMAIL PROTECTED] -
> > Subject: RE: Methods for distributing password change info to
disconn
> >------------------------------------------------------------
> >One way to do this is to push it out to the direct supervisor.
> >
> >I.e. user x calls in, you perform some validation and then send the new
> >password (securely) to their direct supervisor.
> >
> >User then has to contact the supervisor to retrieve the new password.
> >Which, of course, you then force them to change.
> >
> >It tends to make people remember password (or write them down, but that's
> >another issue), since there is nothing quite like calling your boss and
> >giving him/her a brass plated opportunity to remind you how stupid you
are.
> >Besides, that's the one individual in the organization who probably CAN
> >reliably id somebody.
> >
> >-----Burton
> >
> >-----Original Message-----
> >From: Led Slinger {mailto:[EMAIL PROTECTED]}
> >Sent: Thursday, July 11, 2002 10:24 AM
> >To: [EMAIL PROTECTED]
> >Subject: Methods for distributing password change info to disconnected
> >users
> >
> >
> >Looking to see if anyone has a new and unique trick for distributing
> >passwords to users that request to have their password reset remotely.
> >I am basically referring to Enterprise Directory passwords. We have
> >many users in many locations around the globe and it is not practical to
> >hand carry every password to a user when she/he forgets theirs. Since
> >Email is tied to ED as well, we cannot provide the password through that
> >system and the fact that not all of our sales force and consultants have
> >voicemail, it makes it difficult to distribute it to them that way as
> >well. We have a 24x7 Call Center but then you run into the problem of
> >trying to authenticate voices over the phone. and with 7000+ possible
> >voices probably not feasible either. We've thought about obscure web
> >links that are one time use but it comes right back to authenticating
> >the individual that is calling. We've even considered using some type
> >of token device with the thought that providing them a password over the
> >phone would be fairly safe if the corporate authentication were
> >two-factor, but if I copped a briefcase with the business cards and
> >token inside, I could probably devise a social engineering plot to get
> >in. Am I simply trying to hard to cover every conceivable issue that
> >MAY arise or is there a better, cheaper, and equally effective plan out
> >there.
> >
> >Thanks in advance for any help you can provide
> >
> >Leds!
> >
> >--
> >There's nothing wrong with Windows until you install it........
> >
> >
> >
> >
> > John Hanson
> > Information Security
> >
> >
> >
>
>***************************************************************************
*
> >* Unencrypted electronic mail is not secure and may not be authentic.
*
> >* If you have any doubts as to the contents please telephone to confirm.
*
> >* The information contained in this message is confidential and is
*
> >* intended for the addressee(s) only. If you have received this message
in *
> >* error or there are any problems, please notify the originator
*
> >* immediately. The unauthorised use, disclosure, copying or alteration of
*
> >* this message is strictly forbidden. Opinions, conclusions and other
*
> >* information expressed in this message are not given or endorsed by
*
> >* Safeway unless otherwise indicated by an authorised representative
*
> >* independent of this message.
*
>
>***************************************************************************
*
> >
> >
>
>
>
