Best Practices for Authenticating Help Desk Calls

0
2
Asked By TechGuru77 On

I'm looking for effective methods to authenticate callers who need support on sensitive issues like password resets or adding devices to Intune. With the rise of voice cloning technology, how can we ensure that we're not inadvertently resetting passwords for malicious actors? What are some best practices or technologies your organization employs for this? Are there any built-in tools in Microsoft that could help?

5 Answers

Answered By SecureAdmin88 On

At my large organization, we’ve revamped our help desk authentication process significantly. Here are some things we've implemented:
1. We added a button that triggers a multi-factor authentication (MFA) prompt for the user, which has worked well as long as their MFA is functional. Check out this article for more on it: [Transactional MFA](https://www.entraneer.com/blog/entra/authentication/transactional-mfa-entra-id).
2. We conducted a proof of value for VerifiedID and AuthID, but it was tricky to set up and pricey. Ultimately, we found Clear (linked here: [Clear Id](https://identity.clearme.com/)) to be a solid choice, and they're much more cost-effective than some of the alternatives.

MFA_Wizard92 -

Yeah, pushing a notification through the help desk works like a charm! Using services like Okta or similar just makes it easier.

TechSavvyJoe -

Just to clarify on the MFA, does it let users enter a confirmation code themselves or is it just approve/deny?

Answered By OldSchoolHelpdesk On

For situations where users are completely locked out, we do a quick Zoom call to verify identity. We check it against personal emails used when they were hired; this method is pretty solid for ensuring legitimacy.

TechTrainer99 -

That's smart! Having them use their personal email for verification really helps, especially if the system’s been compromised.

Answered By CautiousCaller On

When in doubt, I always hang up and call back using the official number listed in our database. It’s less likely a threat actor will have access to the user’s machine, so remote access helps a lot.

BackupPlan88 -

Exactly! I always look up the user's number before calling them back to verify.

Answered By ParanoidTechie On

Once a scam becomes apparent, it’s crucial to verify. The number one method is to call back using the official contact number. This way, you're sure it’s the legitimate user.

CarefulCaller47 -

That's the safest approach, especially with all the spoofing that's been happening!

Answered By OnSiteSupport On

Our approach involves triple verification:
1. User reads the MFA code from their corporate device.
2. They read off the serial number from their laptop.
3. We conduct a video verification to confirm their identity.

It’s a bit tedious for users, but it ensures security.

ConfusedTechie -

Why the serial number? How does that help with verifying their identity?

EnterpriseGuru -

It’s more about confirming they have the right device; it can become a necessary step when dealing with sensitive data.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.