User Authentication / Verification

Jer
Jer used Ask the Experts™
on
Greetings,

We're looking to change our network password change policy to a more-or-less standard MS best practice.  As a result, we, the IT department, will no longer know user passwords.  The problem is that previous passwords were a means of user identifcation/ verification/ authentication.  Thus, we need a new method.  We had proposed using the last 4 digits of the user's SSN, but that was rejected.  I do see that there are some software/application solutions out there.  However, I'd like to see what other people/compainies are doing.  Anyone have a recommendation?  I tired to do a search, but the results were all over the place and not related.

Thanks,

Jer.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Why do you need to know a users password? The whole point in a password is so that one user has access and no one else does - what good is tracking if multiple people use the account?

If you need access to the account, for whatever reason, you could either ask the user to log in, or if they are on long term sick, reset their password, log in to do whatever, then set their password to be changed at next login.

In my company, a user choose whatever password they want. If I need to do something, I go on as an admin account or if the user is having issues, I'll have them log in so I can see the issue. This can be worked around with Remote Assistance, but that isn't always practical.
Sikhumbuzo NtsadaIT Administration

Commented:
A simple solution I used was: user@company for all the users except the management.
I agree, the IT should not know the users password, the point of accountability fails; the password was only known to you therefore we have come to the conclusion that the following activity was performed by you.

Now the user can claim that the IT must have used his account, I know this is a extreme case but it could happen at the most unlikely of times.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Mike ThomasConsultant
Top Expert 2010

Commented:
You can verify users as simply as calling them back on a know telephone number or getting the reset request emailed by a line manager or a combination of both..or you could just get to know the users, have them pop in face to face (difficult with large multi site companies i know but i have never know a large multi site company to use a password policy like you are using.


Jer

Author

Commented:
Um.  There seems to be some considerable confusion here.  I do not want to know passwords.  That is the reason for the change in practice.  However, as stated, since we did know previous passwords, we were able to use them to verify a caller.  Thus, I'm looking for suggestions for a way to verify the caller (without having to manufacture a secret question for each user).  We have over 400 users in 14 states, and most are mobile.  Again, the sole purpose of this inquiry is to identify what people are doing in the real world to address user verification for password resets.

Thank you,

Jer
Thomas WERNHERConfiguration Manager

Commented:
electronic id or sso pass could be great, no?
unique id with specific hash they plug on demand to verify...
Most Financial Compenies use ID&V systems (Identification and verification.)
The have to setup a secret key /passcode what ever you call it.

Every time the log a call you ask them two random numbers from theire key/passcode
This could be there staff number
Or you can just ask them for their staff number to verify with their date of birth.
Some companies also use AD frontend tolls which give you the option to configure Questions for the user so when they login for the first time it will ask them to answer the question.

Try Quest Active Roles for this purpose i find it quite good

Jer

Author

Commented:
Due to the additional research, I've delayed this project a bit.  Still considering options.
Jer
Commented:
Just an FYI...  We ended up looking at PortalGuard and myPassword and ended up going with myPassword.  Very robust package for decent pricing.
Jer

Author

Commented:
Sorry for the delay in closing this question.  Javed, thanks for the suggestions.  While I didn't use them (directly), at least you attempted to answer the question with pertinent/realistic information.
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial