On Tue, Jun 18, 2002 at 01:31:16PM -0700, Crispin Cowan wrote: > So the "tell me, yes/no" hack is nearly as dangerous as having full text > access to the password file. What method would work better for authenticating users to tech support? Ask one of the same four questions everyone else asks? :) Billing information? I appreciate the sentiment, but how should <service> authenticate callers? Not telling passwords to company IS staff is fine, when everyone can visually identify everyone else. Telling passwords to tech support staff one will never meet sounds like a reasonable authentication method to me, since at least I can vary my passwords per service. I might be the only one doing so, but I take the options available to me. :) (Once one's problem is fixed, one can usually also change the password at said service.) Unless services are willing to hand out unique challenge-response tokens to users, I'm not sure I see a better solution. (I suppose those tokens could be printed right on the billing statements for added convenience..) -- http://sardonix.org/
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 16:07:41 PDT