The best methods I have used were the following: - The helpdesk has a "secret-passphrase" kept in a database. The users define their own passphrase on account creation. Any changes to their account require successfully providing the passphrase.
As this method was used by a business ISP, if the user had lost/forgotten the phrase, the helpdesk referred the request to the account manager, who contacted the customer and helped them get their changes made. - In a corporate environment, the help desk would reset the user's password with a onetime password, this password would be left in the user's voicemail. As Voice-mail is reachable from anywhere in the world, this worked for traveling users as well. Hope this helps... duane ========== Duane Hay Senior Security Consultant AT&T Canada -----Original Message----- From: Robert Sieber [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: How to authentificate an user via telephon? Hello colleauges, imaging the following situation: User calls the helpdesk to reset/alter some kind of account-password (NT, RAS, PKI-PIN ...) and you has to determin wheter the user is the correct (owner of the account) user. What would you do to authentificate the users identity? What are good methodes to do this? It should be easy for the user but secure for the administration. Robert -- http://board.protecus.de - Firewalls, Security and more ...