General discussion

  • Creator
  • #2176724

    Verifying user for password changes


    by gralfus ·

    How do you go about verifying that the user on the other end of the phone is who he/she claims to be? Because of HIPAA compliance, we are currently redrafting our policy and are trying to balance expediency with security. We can’t have people sitting around idle until we can verify them, but at the same time we need a really good method of determining this. I suppose we could have their supervisor send us an email requesting it, but then the early morning folks have to wait around a couple of hours.

All Comments

  • Author
    • #3330646

      Early morning folks

      by jdclyde ·

      In reply to Verifying user for password changes

      can learn to remember their passwords like everyone else. Never get the impression that just because they forgot something that YOU are the hold up.

      I would strongly recommend the supervisor e-mail. This will do a few things for you.

      1) you will have an official notice of work to do.
      2) This will encourage users to remember passwords as it isn’t a quick easy fix to get back in. The less the consequences for making a mistake the more likely someone is to make them. If it is a pain everytime somethine happens, they will avoid this happening because it inconveninces THEM.

      Just remember, it isn’t YOUR fault they can’t get in. It is their fault and you are willing to help them resolve THEIR issue that they created but only in a secure and orderly fashion.

      • #3330615


        by stress junkie ·

        In reply to Early morning folks

        Forgetting a password or failing to reset their password before it exprires is the user’s fault. If they come in to work before tech support then they assume the risk that they could be idle until tech support arrives. Hopefully you DO have notification of imminent password expiration. It’s built into every multi-user operating system that I’ve used.

    • #3330623

      Who are these users

      by jdmercha ·

      In reply to Verifying user for password changes

      Are they customers or employees? Are there that many of them that you do not know them all? Do you have access to their personal information? (Can you verify their SSN or something else?) Can you establish a security question? How far away are they? Can they stop by the help desk and show their ID? How’s building access controlled? Can non-employees get in the building?

      • #3330614

        Gobs of ’em

        by gralfus ·

        In reply to Who are these users

        We have over 3000 users on the domain, many of whom think rebooting a PC means hitting the power button.

        They are physically located all over the county. Right now we are going to give them their temporary password on their voicemail, and prompt them to change it at login. If they are whom they claim to be, then they can get it from their own voicemail. If they don’t have voicemail, then we leave it on their boss’s voicemail. Or they can come in personally and show their ID.

        It isn’t flawless, but it should work.

    • #3330607

      If all users are at the same site

      by stress junkie ·

      In reply to Verifying user for password changes

      This won’t work if you have users scattered over a large geographic range AND have all of the tech support people in one location … but one system that I’ve seen used at several large corporations for users in the same building as the tech support people is to have the user come to the tech support person’s office to have their new password given to them. In a large organization people have to provide some proof of identity to obtain the new password. This really works. Optionally the tech support person could go to the user’s office to give them their new password.

      There are times to bend over backwards to accommodate end users but there are also times when the end users have to accommodate tech support requirements. If you read my other posts you will see that I am generally all about providing service to the end users. This, however, is a security issue and it is preventable by the end users. If they change their passwords before they expire and if they remember their passwords then this situation won’t even happen. So we’re talking about a problem that the end user brings onto himself. So a preventable security issue that is caused by the end user means that the end user will have to follow a procedure that may be a little bit inconvenient.

      • #3330538

        Both ways

        by dafe2 ·

        In reply to If all users are at the same site

        In addition to your comments I’d offer up a spot audit.

        We reset passwords at the users request at all times (Customer Service). We follow up with an E-Mail confirming the request & CC the users supervisor.

        It gives the user & the supervisor 7 days to dispute the services provided.

        It’s important to remember in our case…user ID’s a cryptic to begin with & we’re talking about GENERAL users.

        Users of critical systems & infrastructure are required to put ALL security related requests in writing through their supervisor. It’s clearly stated in the AUP’s they sign off on……..most have only ‘forgotten’ their password about once a year. 🙂

    • #3329775

      I work for a large health care provider…..

      by notsochiguy ·

      In reply to Verifying user for password changes

      …and have some of the same HIPAA compliance issues.

      In terms of password resets, all requests must come to our help desk. The help desk will then require written authorization (e-mail or fax) from the associates immediate supervisor.

      At first, there was grumbling…but when people started catching on that their supervisors would be involved in any password resets, their memories magically seemed to improve.

      Stand firm in the fact that you are not there to give associates what they want…you are there to provide the employer with what is needed…and if you are dealing with confidential information, what is needed above all else is stringent security procedures!

Viewing 3 reply threads