How are your Help Desks verifying the identity of end-users prior performing activities like password and MFA factor resets?

Identity & Access Management (IAM)Enterprise & IT Service Management (ITSM)
1.9k viewscircle icon5 Comments
Sort by:
Chief Supply Chain Officer in Government9 months ago

We don't have nor do we want self service password resets.
We require challenge question responses via in-person (preferred) or phone via their manager/supervisor.

Lightbulb on1 circle icon2 Replies
no title9 months ago

How are you verifying that the person on the phone is who they say they are?  Isn't that how MGM got popped?  In an enterprise with more than one location that's going to be a problem.

Lightbulb on1
no title9 months ago

Hi Doug,<br>As the comment said - "Via their Supervisor/Manager"<br>They verify their identity first.<br>The supervisor/manager works directly with them on a daily basis and would know if it's them or not.

Lightbulb on1
CISO in IT Services9 months ago

Help Desk Teams are verifying the identity of end-users prior to performing activities like password and MFA resets via a few ways. Some utilize another form of 2FA or MFA as users are usually required to have a few ways of identity verification like something you know, something you have, or something you are. Self-Service Password Reset (SSPR) allows users to reset passwords on their own using predefined verification methods, which helps lower these help desk requests. We love conditional access policies to enforce verification steps based on the user’s location, device, or risk level. Verify explicitly by always using strong authentication methods and ensuring compliance before authorizing.

Lightbulb on1
Director, Special Projects, IT/OT Security in Energy and Utilities9 months ago

Challenge questions.

Lightbulb on1

Content you might like

How do you approach managing multiple enterprise systems (ServiceNow, Workday, Oracle, SAP, Salesforce) that all want to leverage AI? How do you handle security and infrastructure complexity, and do you see a role for an agnostic AI orchestrator?

Read More Comments

Can you share any tips or lessons learned from your IAM implementation? What would you do differently, if anything?

Read More Comments

How do you monitor and restrict the types of visitor behavior information and PII 3rd-parties can discern, record, or extract via scripts and applications on your website?

We don't use any 3rd-party scripts16%

We can't monitor or restrict 3rd-party script behavior on our website31%

We trust vendors based on initial reviews22%

We test scripts periodically18%

We use Web Privacy Management, WebAppSec, or PriSec Software8%

We outsource website privacy and app security monitoring services2%

Other (please describe)

View Results

Do you have any tips to boost the SOC/security operations team’s visibility into IAM? Have you managed to effectively close that gap at your organization?

Will you ever truly go "all-in" on cloud?

Yes, and it will be public cloud48%

Yes, hybrid33%

No, we'll always have something on-premise18%

View Results