Problem solve Get help with specific problems with your technologies, process and projects.

Verifying passwords from the Help Desk

How can you verify password changes from the Help Desk if you physically cannot see the person or validate their identity?

Good question! It is rather easy for someone to use what is known as social engineering to call the help desk and have someone's password reset. Then they have a way to login and at the same time deny the legitimate user access.

This has been "solved" in several ways in the corporate environment. Some of the solutions are better than others. One way is to ask the person to provide some "secret" information to authenticate who they are. Many places use Mother's Maiden Name (MMN) for this secret. Others use the last four digits of the user's Social Security Number (SSN). Both of these may be sufficient if the information to be gained is of marginal value, such as retrieving the password for access to a Web site. However, for access to a corporate network, this probably is not of much value, as MMN and SSN are not all that hard to obtain.

One method that has proven successful is to have the help desk look up the phone number for the user in the company database. They then instruct the user not to answer the next phone call, but let it go to voice mail. Then, the help desk calls the person at their phone number of record and leaves the new password in their voicemail. This way the user must authenticate to the voicemail system in order to get the password.

Is this method perfect? By no means is it perfect. However, it does have the advantage of using another "secure" (as secure as your voicemail system might be) system to do the authentication that cannot be accomplished by face-to-face meeting.

For more information on this topic, visit these other searchSecurity resources:
Featured Topic: Passwords
Best Web Links: Passwords/Authentication

This was last published in February 2002

Dig Deeper on Password management and policy