Verifying user for password changes

General discussion

Creator

Topic
March 3, 2005 at 12:25 pm #2176724

Verifying user for password changes

Locked

by gralfus · about 18 years, 3 months ago

How do you go about verifying that the user on the other end of the phone is who he/she claims to be? Because of HIPAA compliance, we are currently redrafting our policy and are trying to balance expediency with security. We can’t have people sitting around idle until we can verify them, but at the same time we need a really good method of determining this. I suppose we could have their supervisor send us an email requesting it, but then the early morning folks have to wait around a couple of hours.

This conversation is currently closed to new comments.
Creator

Topic

All Comments

Author

Replies
- March 3, 2005 at 12:49 pm #3330646
  
  Early morning folks
  
  by jdclyde · about 18 years, 3 months ago
  
  In reply to Verifying user for password changes
  
  can learn to remember their passwords like everyone else. Never get the impression that just because they forgot something that YOU are the hold up.
  
  I would strongly recommend the supervisor e-mail. This will do a few things for you.
  
  1) you will have an official notice of work to do.
  2) This will encourage users to remember passwords as it isn’t a quick easy fix to get back in. The less the consequences for making a mistake the more likely someone is to make them. If it is a pain everytime somethine happens, they will avoid this happening because it inconveninces THEM.
  
  Just remember, it isn’t YOUR fault they can’t get in. It is their fault and you are willing to help them resolve THEIR issue that they created but only in a secure and orderly fashion.
  - March 3, 2005 at 1:42 pm #3330615
    
    Agreed
    
    by stress junkie · about 18 years, 3 months ago
    
    In reply to Early morning folks
    
    Forgetting a password or failing to reset their password before it exprires is the user’s fault. If they come in to work before tech support then they assume the risk that they could be idle until tech support arrives. Hopefully you DO have notification of imminent password expiration. It’s built into every multi-user operating system that I’ve used.
- March 3, 2005 at 1:29 pm #3330623
  
  Who are these users
  
  by jdmercha · about 18 years, 3 months ago
  
  In reply to Verifying user for password changes
  
  Are they customers or employees? Are there that many of them that you do not know them all? Do you have access to their personal information? (Can you verify their SSN or something else?) Can you establish a security question? How far away are they? Can they stop by the help desk and show their ID? How’s building access controlled? Can non-employees get in the building?
  - March 3, 2005 at 1:43 pm #3330614
    
    Gobs of ’em
    
    by gralfus · about 18 years, 3 months ago
    
    In reply to Who are these users
    
    We have over 3000 users on the domain, many of whom think rebooting a PC means hitting the power button.
    
    They are physically located all over the county. Right now we are going to give them their temporary password on their voicemail, and prompt them to change it at login. If they are whom they claim to be, then they can get it from their own voicemail. If they don’t have voicemail, then we leave it on their boss’s voicemail. Or they can come in personally and show their ID.
    
    It isn’t flawless, but it should work.
- March 3, 2005 at 1:51 pm #3330607
  
  If all users are at the same site
  
  by stress junkie · about 18 years, 3 months ago
  
  In reply to Verifying user for password changes
  
  This won’t work if you have users scattered over a large geographic range AND have all of the tech support people in one location … but one system that I’ve seen used at several large corporations for users in the same building as the tech support people is to have the user come to the tech support person’s office to have their new password given to them. In a large organization people have to provide some proof of identity to obtain the new password. This really works. Optionally the tech support person could go to the user’s office to give them their new password.
  
  There are times to bend over backwards to accommodate end users but there are also times when the end users have to accommodate tech support requirements. If you read my other posts you will see that I am generally all about providing service to the end users. This, however, is a security issue and it is preventable by the end users. If they change their passwords before they expire and if they remember their passwords then this situation won’t even happen. So we’re talking about a problem that the end user brings onto himself. So a preventable security issue that is caused by the end user means that the end user will have to follow a procedure that may be a little bit inconvenient.
  - March 3, 2005 at 3:44 pm #3330538
    
    Both ways
    
    by dafe2 · about 18 years, 3 months ago
    
    In reply to If all users are at the same site
    
    In addition to your comments I’d offer up a spot audit.
    
    We reset passwords at the users request at all times (Customer Service). We follow up with an E-Mail confirming the request & CC the users supervisor.
    
    It gives the user & the supervisor 7 days to dispute the services provided.
    
    It’s important to remember in our case…user ID’s a cryptic to begin with & we’re talking about GENERAL users.
    
    Users of critical systems & infrastructure are required to put ALL security related requests in writing through their supervisor. It’s clearly stated in the AUP’s they sign off on……..most have only ‘forgotten’ their password about once a year. 🙂
- March 4, 2005 at 1:02 pm #3329775
  
  I work for a large health care provider…..
  
  by notsochiguy · about 18 years, 3 months ago
  
  In reply to Verifying user for password changes
  
  …and have some of the same HIPAA compliance issues.
  
  In terms of password resets, all requests must come to our help desk. The help desk will then require written authorization (e-mail or fax) from the associates immediate supervisor.
  
  At first, there was grumbling…but when people started catching on that their supervisors would be involved in any password resets, their memories magically seemed to improve.
  
  Stand firm in the fact that you are not there to give associates what they want…you are there to provide the employer with what is needed…and if you are dealing with confidential information, what is needed above all else is stringent security procedures!
Author

Replies

Viewing 3 reply threads

Start or Search

Start New Discussion

Cybersecurity demands and the stakes of failing to properly secure systems and networks are high. While every organization’s specific security needs form a unique and complex blend of interconnected requirements, numerous security fundamentals almost always apply to each of these groups. It stands to reason that cybersecurity pros who effectively identify network and systems risks ...

In this guide from TechRepublic Premium we’re going to explore the various things you can do with a Linux server. We won’t leave out any steps, so you won’t have to refer to another tutorial to complete the process. The only step we will leave out is the installation of Linux, as we’ll assume you ...

If you want to deploy applications into a Kubernetes cluster, be warned — it’s not the easiest task. There are a lot of moving pieces that go into these scalable containers. Don’t you wish you had a complete roadmap, from start to finish, to walk you through the process of deploying the Kubernetes cluster, deploying ...

Security

General discussion

Verifying user for password changes

All Comments

Early morning folks

Agreed

Who are these users

Gobs of ’em

If all users are at the same site

Both ways

I work for a large health care provider…..

Checklist: Network and systems security

How to host multiple websites on Linux with Apache

How to deploy an application with Kubernetes

Cross-training tool kit