Originally posted here by ghostmachine
thanks for all your input.
The main concern on my part is how , in the scenario mentioned, the staff B is going to identify that helpdesk is who they are.
So firstly, helpdesk should not ask for passwords from users at all. This is enforced by policy.
secondly, users should just say no, no and no when being asked for password (enforced by policy )
lastly, as a identifying mechanism, use caller ID...

thanks


well, as pointed out in Mitnick's book, caller ID can be tricked too, if the S.E is really motivated and skilled....So, it cant be relied upon as a "final id mechanism" 100% of the time...

my $0.02

-z3