Account Verification for Users

[kickarse]

So I've got this dilemma in trying to figure out a policy on how to verify users over the phone for resetting and unlocking them from various network resources.

I'm curious on what others do. We already have their last 4 of their social and figure that's probably good enough.

Any thoughts?

[VaKo]

Ask each user to setup secret 5 questions and when they need to be verified ask for 2 random answers? Its how ALU manage intranet passwords.

[kickarse]

Well, that's a great idea but we all know how users are, they'll forget the questions/answers they created and they won't be created with the security in mind.

I wonder if it'd be more appropriate to create a set of questions for them, like banks do. Perhaps five questions and randomize them when they call in as suggested. Store it in AD and create a script/program to query the list.

[VaKo]

If that fails, they call their boss and ask it to vouch for the user, boss calls you, explains situation and you call them back on a company line, and that line only. Beyond that, you probally need to start chipping your users.

[digip]

At my workplace we have a list of "verify" questions that all employees must fill out. Its bacially 5 perosnal questions, where were you born, mothers maiden name, when were you born, first grade school name, and last 4 of social. Then when you call the help desk to reset a password, they ask you two of the five questios, along with what is your employee ID number. No one should ever know your employee ID number since you use it to login to things, and is part of the way they look up your questions. This way, giving them a name alone does not let them change your password if you don't know the employees ID number.

[Razor512]

just use good security and recommend users make a strong password then put a captcha to complete the login (the captcha will be visible for right and wrong passwords )

if you make things too complicated for users, they will move somewhere else for services, just put ample warning on making a strong password, that removes liability if they make a weak one

[VaKo]

And how does one add a captcha to an AD login prompt, and how does this help verify the user is who they claim to be?

[kickarse]

If that fails, they call their boss and ask it to vouch for the user, boss calls you, explains situation and you call them back on a company line, and that line only. Beyond that, you probally need to start chipping your users.

Think they'll go for me putting a RFID under their skin? lolz...

I think the best thing is definitely a random set of questions. Nobody remembers their employee number.

[preciousroy]

Depending on how your company is set up and how secure you have to be a good idea might be to keep the company phone directory handy, tell them to give you their full name and return to their desk and call them BACK at their extension. Don't let them give you their extension, take it from the directory. Also, if each user has a PC with an asset tag number that's associated with their name, you can base it on that. Have them read the tag number over the phone.

There's a question about exactly this on a Microsoft certification prep that tells you the correct answer is to remote in and set the password for what they want on their say so. Goes to show you that not everyone is thinking about security.

[Razor512]

if companies can use captchas like this, it will stop random people from making accounts for no reason,

or if possible if you can get someone to make a captcha system to show random pictures and ask a question like "Is the cat in this picture, cute?" it will help and it will also cause new technology to be developed because spam companies and hackers will have to develop a cute cat detecting program (then it can be reverse engineered and added to google image search ) that way no matter which search you make, you can be sure to always find the cute cat pictures available in any search you make

there many tutorials on adding basic captchas to your site

http://webcheatsheet.com/php/create_captcha_protection.php

but it is never really enough info available and no way of telling if the captcha system has been compromised until you test it out and find a million spam bots advertising weight loss pills

if your running a business, don't skimp on it, get someone who is a professional to do a login system thats secure for your site,

[kickarse]

It's not going to be for users to create their own accounts. It to verify already existing accounts Razor. I thought I mentioned that it was for user verification over the phone.

[Razor512]

It's not going to be for users to create their own accounts. It to verify already existing accounts Razor. I thought I mentioned that it was for user verification over the phone.

well for user verification over the phone nothing beats an actual human who has been trained to understand social engineering

just remember, phone traffic is not really encrypted, (no SSL :) )

and sadly what makes us who we are, is just a few numbers and anyone with those numbers can become you, and take out a loan to buy a personal space station :)

most companies that to verification over the phone will often ask for account holders name, phone number and mailing address and often nothing else.

and it is often little or no security because when I did a verizon speed upgrade for someone (a while back verizon used to give 768k down and 128k up, even though verizon now offers 3mbit if you had a 768k account they would not increase your speed to the new standard unless you can and request it and they do it free of charge. well when I was doing it for a friend (she didn't like dealing with these companies and wanted me to do it for her) so i called, and gave the phone number and address, then when they asked for the account name I gave her name and guess what, even though I am a male and have a male voice, they called me by her name and said things like mam and miss

as far as the outsourced workers could tell, I was her

phone security is often very weak and since your dealing with another human who often doesn't understand security, you are not allowed to give out certain pieces of personal info because the workers are not at a level where you can trust them with it

unless you want to verify by credit card number in which case if a malicious user gets that info, things cant get much worst, they already have your money.

[kickarse]

Razor, I still don't think you understand.

We're verifying our domain users over the phone. We don't have access to their personal account information. We'd like to not have to even know their employee number or last four of their ssn (because honestly if you know where they were born up you can gather the rest of the numbers).

We're just trying to come up with a more secure way to go "Ok you are who you say you are I'll unlock your account/reset your password to the domain/program/web site/etc". Instead of the "Hi this is Mark Smith" and me thinking "hmm... sounds like Mark I guess it's him".

We're probably going to be going with a solution like the password reset self solution from SpecOps http://www.specopssoft.com/products/passwo...self%20service/

But we still need something in place for those times when we can't just do a domain unlock. However, we do have a intranet based ticket system in place. This could provide the solution for that since its based on domain rights to get to the page, then they can request securely for things other than network access.

Also, I'm not too worried about people tapping our phones externally. If it was a wireless phone maybe.

[VaKo]

That reset solution from SpecOps looks interesting, thanks for the heads up.

I still think picking random questions from a pre-defined list would be the most simple way of doing things over the phone, get HR to approve it and work with them to set it it and it should cover most eventualities. Just don't choose questions you can search facebook for.