OSPA Logo
decoration

Techniques for ‘verifying identity’.

The words are, or at least should be, drilled into our heads in the workplace. ‘Verify the identity of the requestor!’ This is standard procedure when responding to a request for information that’s not been officially made publicly available (I say ‘officially’ because, of course, it happens unofficially as well!).

There are multiple techniques for verifying identity, with more being developed regularly. However, most techniques fall into nine categories, each one usable by an organization of any size. Some are more secure than others and the technique(s) used should be defined by the organization’s security policies, and should depend on the sensitivity level and the source of the request.

  1. Caller ID: This would be used to verify that the call is internal, and that the name or extension matches the identity of the caller. This is susceptible to PBX hacking, however.
  2. Callback: The requester is located in the company directory and called at the listed number. Again, the call can be redirected.
  3. Vouching: A trusted employee verifies the identity of the requestor.
  4. Shared Common Secret: An enterprise-wide secret is requested, such as a daily code or passphrase.
  5. Supervisor verification: The immediate supervisor is called to verify identity, employment and need-to-know.
  6. Secure email: The requestor sends a digitally-signed message using an approved digital signature.
  7. Voice Recognition: If the request is made via telephone and the requestor is known to the employee, verification is made by the caller’s voice.
  8. Dynamic Passwords: Using a dynamic password solution, such as SecureID or similar devices.
  9. In person: The requestor must appear personally with appropriate identification, such as an employee badge.

Each of these techniques has their own strengths and weaknesses, and no one technique should be considered perfect. As in all forms of security, it’s important to balance security and usability, but sensitive information should be verified using as many methods as possible.









Creative Commons License
Presentation Software in OPSEC Presentations by OSPA is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.
Based on a work at www.opsecprofessionals.org.
decoration