When a user reaches out for a password reset or account assistance, your support team becomes the gatekeeper - balancing usability with the critical responsibility of protecting access.
Handled correctly, these interactions help prevent unauthorized access. Handled carelessly, they can hand cybercriminals everything they need to breach a system.
The recent Clorox vs. Cognizant lawsuit illustrates the real-world stakes: Clorox is suing its former IT provider for approximately $380 million, alleging that service desk staff simply handed over login credentials—and even reset MFA—without verifying the caller’s identity, in direct violation of agreed-upon protocols. The breach paralyzed operations, halted manufacturing lines, and inflicted massive financial losses
For this Tech Tip Tuesday, we’re diving into essential verification best practices for IT providers—especially when handling high-risk account actions, such as password resets.
Why Verification Matters
Social engineering attacks are on the rise. Cybercriminals often impersonate employees, executives, or even vendors to trick IT support into bypassing normal security protocols.
Failing to properly verify users:
- Exposes sensitive business data
- Opens the door to ransomware or data breaches
- Damages your reputation and client trust
IT providers must build strong verification protocols that balance security with usability.
Best Practices for Verifying Users
1. Always Follow a Multi-Factor Verification Process
Never rely on a single point of verification, such as caller ID or knowledge-based questions. Use at least two of the following:
- Callback Verification: Hang up and call the user back at their registered phone number on file.
- Email Challenge: Send a secure link or one-time code to their corporate email.
- ID Check: Request photo ID if the user is unknown or remote.
- Authentication App: Use mobile push approval (via Microsoft Authenticator, Duo, etc.)
2. Don’t Trust the Helpdesk Ticket Alone
Just because a ticket exists doesn’t mean it’s valid. Verify the source and context:
- Was the ticket submitted through a trusted portal?
- Does the request align with the user’s normal behaviour?
- Is there any urgency language that feels out of character?
3. Establish a Verification Protocol Document
If your team doesn’t have a written procedure for identity verification, now is the time. Include:
- Steps for standard password resets
- Emergency protocols
- Escalation contacts for suspicious requests
Train new technicians on this process. Make it part of your onboarding and compliance checks.
4. Use Secure Tools for Communication
Avoid sending reset links, temporary passwords, or account details via plain-text email or SMS.
Opt for:
- Encrypted communication platforms
- Secure portals with MFA
- Ticketing systems with built-in identity verification workflows
5. Log Everything
Always document:
- The method of verification used
- Who authorized the reset
- The date/time and IP (if applicable)
Auditing helps when something goes wrong—and shows clients you take security seriously.
Pro Tip: Pre-Validate Executives and VIPs
Executives are top targets for impersonation. Set up VIP verification protocols with:
- Pre-approved verification questions
- Trusted contact chains
- Additional authentication layers
Final Thought
User verification is a frontline defense, and it’s your responsibility as an IT provider to get it right. A little friction during password resets is a small price to pay for preventing a costly breach.
Need help building or refining your verification policies?
SOClogix can assist with policy development, technician training, and layered access controls that reduce risk and boost client confidence. Whether you're starting from scratch or tightening your current process, we're here to help. Contact us today to learn more!
💬 Have a go-to method for verifying users? Please share it in the comments, and let’s help each other stay secure.
🔄 Stay tuned for next week’s Tech Tip Tuesday for more frontline cybersecurity advice.
