Password Management with challenge

Discussion in 'IT & Internet' started by northlondonitsupport, Mar 30, 2017.

Thread Status:
Not open for further replies.
  1. northlondonitsupport

    northlondonitsupport UKBF Contributor Full Member

    62 9
    Hi

    As an IT company we hold some secure passwords for clients. We have them securely held, however, as we have grown we hold quite a lot and are faced with the prospect of not recognising all our customers on the phone. I was wondering if anyone had implemented a system whereby they can identify callers by use of some kind of challenge / response system? For example, when you call a corporate, often they will take you through some security questions. Rather than hold further sensitive data, I thought perhaps if our customers had a keyword or PIN which we could ask for one or two numbers from to verify their identity quickly and securely. any suggestions would be welcomed.

    Thanks
     
    Posted: Mar 30, 2017 By: northlondonitsupport Member since: May 25, 2010
    #1
  2. Vin Jauhal

    Vin Jauhal UKBF Newcomer Free Member

    20 5
    IT Glue?

    Regards

    Vin
     
    Posted: Mar 30, 2017 By: Vin Jauhal Member since: Feb 9, 2017
    #2
  3. northlondonitsupport

    northlondonitsupport UKBF Contributor Full Member

    62 9
    Hi Vin

    Thanks for your suggestion, I will take a look. Can you elaborate any further? Are you using this solution at all in your own organisation?

    Thanks
     
    Posted: Mar 31, 2017 By: northlondonitsupport Member since: May 25, 2010
    #3
  4. Vin Jauhal

    Vin Jauhal UKBF Newcomer Free Member

    20 5
    We use it within our IT service company, and keep notes against contacts, might be worth a look? Or if you have a PSA such as AutoTask, you could use notes fields. Just a suggestion, appreciate you don't really want to hold further information.

    Regards

    Vin Jauhal
    Managing Director

    Wem Technology Ltd
     
    Posted: Mar 31, 2017 By: Vin Jauhal Member since: Feb 9, 2017
    #4
  5. Cromulent

    Cromulent UKBF Enthusiast Free Member

    883 113
    Use GnuPG. It is free and open source and has clients available for Windows, Mac and Linux.

    Create a public / private key pair.

    Get your client to create a public / private key pair.

    Swap public keys via email.

    Encrypt a text file with a random text string that can't be guessed with your clients public key.

    Email the encrypted file to your client.

    Client decrypts encrypted file with their private key.

    Client phones you up and reads out the text string that only they know from the encrypted file.

    You are now 100% sure that the person you are talking to is your client.

    Job done and 100% free and open source for just about any platform and absolutely the most secure method of verifying identity out there.
     
    Posted: Mar 31, 2017 By: Cromulent Member since: Dec 8, 2008
    #5
  6. Cromulent

    Cromulent UKBF Enthusiast Free Member

    883 113
    Hmm. Can't seem to edit my post. What encryption method do you use to store your customers passwords? You could use GnuPG for that as well. Just make sure you keep your private key very safe as anyone with access to it can decrypt your data. You can post your public key where ever you like though (email, FTP, website, heck you could even print it out and sellotape it to your front door).
     
    Posted: Mar 31, 2017 By: Cromulent Member since: Dec 8, 2008
    #6
  7. northlondonitsupport

    northlondonitsupport UKBF Contributor Full Member

    62 9
    We use SourceForge Password Safe on an internal network server (ie no outside access to this server) - also Open Source. As I say the identification is becoming more of an issue. I would welcome looking at alternatives and will take a look at GnuPG - thanks
     
    Posted: Apr 1, 2017 By: northlondonitsupport Member since: May 25, 2010
    #7
  8. KM-Tiger

    KM-Tiger UKBF Legend Full Member - Verified Business

    9,663 2,572
    Yes, we keep private keys on a smart card now, which obviates the need for more than one copy.
     
    Posted: Apr 1, 2017 By: KM-Tiger Member since: Aug 10, 2003
    #8
  9. Jord.BillingServ

    Jord.BillingServ UKBF Contributor Free Member

    86 25
    We ask them to setup a security account question, when they phone in we ask for the answer! But you could easily do this with pins!

    Godaddy does that with pins you can set your own and then give it the support staff!
     
    Posted: Apr 1, 2017 By: Jord.BillingServ Member since: Sep 14, 2016
    #9
  10. jblz

    jblz UKBF Contributor Full Member

    79 10
    An MD of a professional services firm recently requested that all Outlook autocomplete addresses be disabled because some employees have trouble sending emails to the correct person.
    Whilst using keys is certainly a solution, I can't imagine the pain of trying to make that work with non-techy clients.

    We trialed per user security questions, though typically if anything sounds suspect, you can hangup, call the office and request to speak to that person. If calling from a mobile, a quick message to a line manager to confirm the employees mobile number will typically do the trick.

    Saying that, do you offer VoIP, and if so, do you know user's voicemail PINs? That could be a decent challenge/response without much effort or pain on either side.
     
    Posted: Apr 12, 2017 By: jblz Member since: Jan 23, 2010
    #10
Thread Status:
Not open for further replies.