How should IT help desks securely verify the identity of users who are calling for password reset assistance?

User verification methods to secure help desk

IT HelpDesk and User Identity verification graphic

IT help desks should employ a variety of secure identity verification methods to confirm the identity of users asking for password reset assistance. It's essential to implement identity verification best practices for effective verification of users and employees in IT security.

Asking for identifying information: This aligns with secure user verification practices, where users provide details such as their name, date of birth, and other personal information. This method forms a key part of our comprehensive identity verification solution, ensuring robust end user identity verification.

Security questions: Users may be asked to answer security questions they are likely to know, such as their mother's maiden name or their high school. These carefully selected questions are examples of identity verification questions and are critical in help desk identity verification.

Equipment Verification: Verifying that the user is using their regular equipment, like their standard workplace workstation or mobile PC, is part of secure identity verification methods. This can be challenging if the user can’t sign in due to password issues but is critical in AD user identity verification.

Behavioral Analysis: Asking questions about the user’s behavior when connected to the IT system is crucial in user verification for password reset. This includes analysis of data from Active Directory and other systems, like geo-location, time of day for normal operation, last log-in, and recent printer use.

Dynamic and Contextual Data - Reliance on dynamic and contextual data rather than personal data enhances the security of user verification for password reset. This approach is integral to password reset verification methods, ensuring the process is not reliant on personal data alone.

Verification Code: Sending a unique, time-limited verification code via email or text message to users is a crucial part of our identity verification methods. This code helps to confirm the user's identity securely and efficiently.

Two-Factor Authentication: Requiring users to use two-factor authentication, such as a code sent to their phone or a biometric factor, adds an additional layer of security. This practice aligns with identity verification best practices and enhances the overall security of the verification process.

Caller ID Spoofing Detection: Utilizing caller ID spoofing detection tools in help desks is a critical step in help desk identity verification questions. This ensures the caller's phone number is legitimate and matches the user's registered number, aiding in the prevention of identity fraud.

Point-Based Score System: A point-based score system, where users must achieve a predefined number of points to be verified, aligns with help desk password reset best practices. This system allows flexibility, enabling users to fail a single test but still be verified.

Third-Party Verification: If a user can’t be verified through the standard process, verification by a trustworthy third person, like the requester’s manager, is necessary. This method is in line with identity proofing best practices.

IT Workflow Compliance: Ensuring Help Desk personnel adhere to an IT workflow instructing supporters on the verification process is crucial. This prevents circumvention of the workflow as defined by management and is key in identity verification methods.


IT help desks must protect user privacy and ensure that personal information is handled securely and confidentially. They should also comply with relevant laws and regulations, such as anti-discrimination laws and privacy laws.

As some questions / challenges might be difficult to answer for the “real” person it is suggested to use a point-based score, where the user must achieve a predefined number of points to be verified. This allows for the user to fail a single test and still be verified. For some important users some tests might be mandatory. 

If the user can’t be verified through the standard verification process, the verification must be done by a trustworthy 3rd person like the requestor’s manager. Alternatively, the user must show up to the verification unit with document proof including photo or other bio links. 

To make sure the identification process is compliant and to prevent social engineering, the Help Desk personnel must verify the user as part of an it-workflow instructing the supporter on what to do. There should not be any ways for the supporter to circumvent the workflow as defined by management. Each proofing part must be noted for alerts and auditing. 

It is also important for IT help desks to protect the privacy of users and ensure that personal information is handled in a secure and confidential manner. They should also ensure that they follow relevant laws and regulations, such as anti-discrimination laws and privacy laws. 

Adherence to Organizational Standards

Various organizations prescribe standards for user verification in IT security.

These include NIST in the United States, which develops technical standards, including those for user verification. ISO publishes international standards like ISO/IEC 27001, focusing on information security management systems. PCI DSS sets security standards for organizations handling credit card information, necessitating strong user verification processes. CISA offers guidance on implementing strong user verification processes.

Compliance with these standards is essential for effective and secure identity verification.

Identity Verification Solutions in the Market: Few identity verification solutions are available in the market, but products like FastPass offer a streamlined password reset process for ITSM/ServiceNow and other ITSM products, facilitating easy implementation.

Continual Improvement and Adaptation: Organizations must continuously update and improve their identity verification processes, staying abreast of emerging technologies and adapting to new challenges. Proactive IT security ensures organizations remain ahead of potential vulnerabilities.

Education and Training: VRegular training and education for IT help desk staff on the latest identity verification methods and technologies are vital. This includes training on technical aspects and best practices related to privacy and legal compliance. Continuous learning ensures that the staff remains proficient and updated on the best approaches in secure user verification.

Collaboration with Industry Experts:Engaging with industry experts and participating in IT security forums can provide valuable insights into effective identity verification methods. Collaboration fosters a deeper understanding of the challenges and solutions in the field, enhancing the help desk's ability to implement effective password reset verification methods.

Technological Advancements- Embracing technological advancements in identity verification, including AI, machine learning, and biometrics, offers enhanced security for processes like password reset in ITSM/ServiceNow systems. Staying at the forefront of technology enables help desks to offer state-of-the-art user verification methods.

Feedback and Continuous Improvement: Regularly soliciting feedback from users and analyzing the effectiveness of current identity verification methods allow for continuous improvement. This feedback loop is essential in refining help desk password reset best practices and ensuring the identity verification process remains user-friendly, secure, and efficient.

Regulatory Compliance and Standards Alignment: It's crucial for IT help desks to stay aligned with regulations and standards set by authoritative bodies like NIST, ISO, PCI DSS, and CISA. Compliance ensures that the identity verification methods employed are effective, legally sound, and globally recognized.

Balancing Security and User Experience: Balancing high security with user experience is important. Implementing overly cumbersome identity verification methods can lead to user frustration. Help desks must find a balance that maintains high security without compromising ease of use.

Future-Proofing Security Measures: As technology and security threats evolve, identity verification strategies should also evolve. Future-proofing these measures ensures that help desks are prepared for upcoming changes in the IT security landscape.

By incorporating these practices and adapting to the changing landscape of IT security, help desks can effectively manage identity verification complexities. Implementing comprehensive and secure identity verification methods is essential in protecting sensitive information and maintaining user trust.


Related Identity Verification Insights

Protect your Passwords today with FastPass

Get in touch with us today by filling up the form and our team will get back to you as soon as possible.

Scroll to Top