We have a confidential portal for clients. Historically they have been identified face to face in person and handed a unique token number that is associated with their email address and allows them initial access into their account. Once accessed they can set up their own user name and password. I want to be able to issue this token number without a face to face encounter but I am concerned about what steps I need to take to verify identity. I'm uncomfortable taking the initial information and giving out the token number in the same call. I could mail the token number but customers want quicker access. Can I email the token number with reasonable safety? Use SMS?
3 Answers
It will depend on what you are concerned about. Using SMS as a means of 'out-of-band' communication is normal for many major services. But you have to come to your own conclusion as to whether that is still too exposed for your clients. Do you have independent verification of the SMS number before transmission, for example?
Without knowing the full environment or risk factors, I would caution against over-complicating security measures. Make sure you aren't creating a security infrastructure that costs more than the risks, and costs include usability and client relationships. But those costs are something only you can evaluate.
- 125,553
- 55
- 289
- 326
The root issue is identity verification. You are granting access to someone and then in the future the username assigned is, in a way, carrying forward that verification that the claimed identity of the username matches to the appropriate person. The password is then what makes it difficult for another person to illegitimately claim that identity.
In your preexisting process, you are doing a face to face verification. What criteria are you using to proove that identity in the face to face scenario - do you look at IDs, require them to answer questions, or rely upon someone else (e.g., their manager) vouching for them?
In the offline scenario, you will have to rely upon "secrets" or at least hard to obtain information. The verifier would need access to certain information that would be hard for someone to know. This should be a combination of "something you know" attributes, which could include information about their position, date of hire, birthday, etc. In may also be providing the key values from documents you would review for a face to face situation.
The difficulty and quantity should be risk based to provide reasonable assurance that this is the right person. It will depend upon the available information you have to verify against and how costly you want to make the experience in terms of obtaining that information. For example, if you go to get your free annual credit report from https://www.annualcreditreport.com/ they will ask you information about loans, mortgages, etc. which people general do not share and would be expensive to buy. There are services you can use that will provide this to a user, and you could then have them provide some code which is only provided if they can successfully verify.
Depending on your setup, you can also rely upon providing the user doing "something you have". E.g., if you mail a code to them by mail or even use an SMS, its less likely an imposter could then provide that value over the phone.
Ultimately, it's going to depend on how you want to balance cost, risk, and time with how in-depth you want to be. Greater assurance will be more costly and may require more time. You may be able to defray direct costs by outsourcing to a trusted provider. We would need to know more specifics of what base information you have and the real business needs (you only postulate how users might react).
- 9,701
- 4
- 31
- 59
I share passwords using LastPass. Just have to be very careful when typing the receiver's email address (their LastPass login) in the Share dialog. Obviously, you have to trust that the account you are sharing with is theirs.