I'm looking for effective methods to authenticate individuals calling for help with sensitive issues like password resets or adding devices to Intune. With the increase in voice cloning technology, it's crucial to ensure that we aren't inadvertently providing access to someone who's not authorized. What strategies or technologies does your organization use for verification? Are there any built-in tools in the Microsoft ecosystem that we should consider?
10 Answers
For helpdesk calls, it's essential to take all necessary steps to verify the caller's identity because proper verification can save a lot of headaches. There's no perfect method as threats evolve continuously, so using a combination of techniques is key—whether that's MFA, video calls, or simply knowing your users well.
Our approach is to require a video call for password resets and MFA changes. We verify the user's identity by comparing them to their ID photo on file. This can be time-consuming, but it significantly reduces the risk of unauthorized access. Of course, most of our users rarely need such help since we primarily use self-service methods for MFA and Intune enrollments now.
For password resets, we enforce a one-on-one video verification via Zoom or Teams. It's a little tedious, but it ensures that users are who they say they are. We've found it as a reliable method, especially in our law firm with about 2,000 users.
If I suspect a scam, I hang up and call them back using the number we have on file. For added security, I can also remote into their computer, which is a good way to confirm their identity.
For safety, I always consider disabling a compromised account right away. I prefer to call back numbers directly from our files to ensure legitimacy. It may frustrate some users when we take these precautions, but it's necessary given the current threat landscape.
Totally agree! It's better to be ‘that annoying IT person’ than the one responsible for a security breach.
Using last four of SSNs for verification isn't advisable—it's risky. Instead, I suggest verifying them through a colleague if they're in the office, or calling them back at their registered phone number if they're remote.
I feel like any method involving SSNs just invites trouble, especially since many have been compromised.
Good point! I guess buddy verification is effective as long as the colleague is available to answer.
In a K-12 setting, I usually ask them to call from their school line. But it's risky because anyone could spoof numbers. A better method would be to have them come to the office for verification.
If we ever need to reset a password and the user is fully locked out, we go through a zoom call to confirm their identity from their HR submitted email. This way, we ensure it’s really them. Every layer of verification adds some assurance that we’re not giving access to the wrong person!
At my large organization, we've implemented a few measures to enhance authentication. First off, we introduced a button on our Helpdesk system to trigger an MFA prompt, which works pretty well unless users have recently reset their MFA. Additionally, we explored using VerifiedID and Clear for identity verification, though both had their quirks and were costly. Right now, we're rolling out Clear since it's more budget-friendly. It's really a solid option if you need something beyond traditional methods.
Sounds like a plan! Just make sure users know about the push notifications—they're super easy to handle.
Does the MFA prompt let the user enter a two-digit code or just approve/deny? Because I worry about that method being too vulnerable.
To guard against issues stemming from voice cloning, I usually say, "I'm going to call you back on the phone number we have on file." It adds a layer of security without much hassle.
That's exactly how I handle it! Can't be too careful with these calls.