When was the last time you had to reset a password?
Did you call a Service Desk to do it? And if you did, how did they know you were really you?
Not long ago, identity verification was relatively simple. You might have been asked for the last four digits of your Social Security number and your date of birth. If the organization was more “advanced,” perhaps you answered four out of six predefined security questions. The underlying assumption was straightforward: only you would know this information.
Those days are, and should be, over.
In an era of social media oversharing and relentless, large-scale data breaches, so-called “private” information is no longer private. Knowledge-based authentication has become dangerously obsolete. As a result, organizations face a critical question:
How do we prevent bad actors from infiltrating employee and customer accounts when identity itself has become the weakest link?
The good news is that the security industry has been steadily working to build a better mousetrap. Strong, modern identity verification options exist today, if organizations are willing to adopt them.
How Did We Get Here? A Look at Common Credential Theft Methods
To understand why identity verification has become so challenging, it’s important to understand how attackers gain access. The most common techniques include:
- Phishing and Social Engineering
Still the most prevalent attack vector, bad actors impersonate trusted individuals or organizations to trick users into revealing passwords or verification codes—often via phone calls, email, or collaboration platforms. - Data Breaches
When a company is compromised, sensitive information such as email addresses, passwords, Social Security numbers, and financial data may be exposed, sold, or reused in subsequent attacks. - Malware and Spyware
Malicious software can log keystrokes, capture saved credentials, scrape browser autofill data, and copy sensitive files. Malware often enters systems through fake downloads, malicious attachments, or compromised websites. - Public Wi-Fi Attacks
Unsecured Wi-Fi networks allow attackers to intercept traffic, exposing login credentials and personal data. - Social Media Oversharing
Personal details shared across major and niche social platforms provide attackers with exactly the information they need to impersonate users or defeat weak verification questions. - Weak or Reused Passwords
While many organizations now enforce strong password policies, any environment without complexity, rotation, or reuse controls dramatically lowers the barrier for attackers.
Keeping the Barbarians Outside the Gates
Now that we’ve properly set the stage and perhaps raised the collective blood pressure, how do organizations respond?
Even the strongest Service Desk or the most polished self-service experience will fail without robust identity verification policies and controls. Password resets and account unlock represent some of the highest risk moments in the user lifecycle.
Below are the most effective and widely recommended verification methods, including when to use them and how to combine them for maximum security.
Self-Service Password Reset (SSPR): The Gold Standard
Self-Service Password Reset (SSPR) is widely considered the most secure and scalable option for password resets.
Organizations can build their own solution or leverage enterprise IAM platforms such as Azure AD, Okta, Ping, and others. When adoption is high, SSPR delivers two powerful benefits:
- Stronger security through consistent, automated verification
- Lower Service Desk costs by deflecting reset calls
Self-Service Password Reset also reduces operational friction across business process services, minimizing manual intervention while improving security outcomes.
Service Desks play a critical role in adoption by actively directing users to SSPR and guiding them through first-time use. The goal is simple: the next time a password expires, the user resolves it independently.
A well-designed SSPR solution should include:
- Strong identity validation during initial enrollment
- Mandatory use of at least two independent verification factors, such as:
- Authenticator apps
- Temporary one-time links or codes (short-lived and single use)
- Recovery email or SMS
- Risk-based or adaptive authentication, such as device reputation and location analysis
Multi-Factor Authentication (MFA): A Critical Verification Layer
Multi-Factor Authentication remains one of the strongest and most trusted identity verification methods.
Once set up, MFA can be reused seamlessly across password resets, account unlocks, and high-risk actions. Common approaches include:
- Push Notifications
A verification request triggers a push notification to the user’s registered device, which the user must explicitly approve. Popular tools include Duo, Okta Verify, and Microsoft Authenticator. - Time-Based One-Time Passwords (TOTP)
Users retrieve a temporary code from an authenticator app and provide it during verification. Common apps include Google Authenticator, Authy, Aegis, and 2FAS.
MFA is highly effective because it leverages a trusted personal device protected by its own security controls, combined with cryptographically generated verification codes.
Live Help Desk Verification: Still Viable—With Discipline
Password resets via phone calls to the Help Desk are still necessary in many organizations, but they represent a higher risk path and must be tightly controlled.
Agents should follow strict, standardized scripts and rely only on non-public, verifiable data. Strong options include:
- Pre-registered security questions (only if non-guessable and well-designed)
- Employee ID combined with validated HR information
- Confirmation of registered device serial numbers
- Verification of recent activity only the user would know (e.g., ticket numbers)
- Callback to the official phone number on record
- Escalated verification via video call (e.g., Zoom or Microsoft Teams)
High-Risk Accounts: In-Person as a Last Resort
For privileged or administrative accounts, in-person verification may be required as a last line of defense. While effective, this approach introduces logistical challenges and should be reserved for the most sensitive access scenarios.
Best Practice: Layered Verification
No single method is foolproof. The strongest defense comes from layering multiple verification mechanisms.
An example of a secure enterprise password reset flow might look like this:
- User initiates reset via the Self-Service Password Reset (SSPR) portal
- Identity is verified using two MFA methods (e.g., push notification and TOTP)
- If verification fails, the user is routed to a dedicated Help Desk queue
- The Help Desk agent follows an enhanced verification script, alerted by the failed automated attempt
- Password reset is completed with “force change at next login” enabled
- The event is logged and audited in the ticketing system
- Failed verifications are escalated to second-level security teams
Final Thoughts: Security Is a Moving Target
There is no “set-it-and-forget-it” approach to identity security.
Attackers are constantly refining their techniques, and organizations must evolve just as quickly. Methods that are safe today may not be safe tomorrow.
The organizations that win the war of identity security are the ones that continually reassess, modernize, and layer their verification strategies, closing gaps before bad actors can exploit them.
This is where partners like HTC help organizations operationalize identity security without degrading the customer experience through layered verification design, Service Desk controls, and scalable identity governance models.
Because when it comes to identity, the cost of being wrong is far greater than the cost of being prepared.
