Helpdesk Identity Verification

TL;DR

This guide shows you how to check who someone is when they contact your helpdesk. We’ll cover simple questions, multi-factor authentication (MFA), and using knowledge bases to reduce the need for verification.

1. Understand the Risks

Before we start, it’s important to know why identity verification matters. Without it, someone could pretend to be a user and:

• Access sensitive information
• Change account details
• Cause disruption or fraud

The level of security you need depends on what the user is asking for. A password reset needs less verification than changing a bank account.

2. Simple Knowledge-Based Authentication (KBA)

1. Choose Security Questions: Select questions that are difficult to guess but easy for legitimate users to remember. Examples include:
   • “What was the name of your first pet?”
   • “What city were you born in?”
   • “What is your mother’s maiden name?” (Use with caution – this is becoming less secure)
2. Collect Answers: When a user registers or updates their account, securely store the answers to these questions.
3. Verification Process: When a user contacts the helpdesk:
   1. Ask 2-3 security questions.
   2. Compare the answers provided with those stored in your system.
   3. If the answers match, proceed with their request.
4. Limitations: KBA is vulnerable to social engineering and data breaches. It’s best used as a first step or for low-risk requests.

3. Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to provide two or more verification factors.

1. Common MFA Methods:
   • SMS Codes: A code sent to the user’s registered mobile phone.
   • Authenticator Apps: (e.g., Google Authenticator, Microsoft Authenticator) – generate time-based one-time passwords (TOTP).
   • Email Codes: A code sent to the user’s email address. (Less secure than SMS or authenticator apps.)
   • Biometrics: Fingerprint scanning, facial recognition.
2. Implementation: Integrate MFA into your helpdesk system and key applications.

   # Example (Conceptual - specific implementation varies)

   if user_attempts_login():
     request_mfa(user.id, method=user.preferred_mfa)
     verify_code(user.id, code_entered)
     if verification_successful:
       allow_access()
     else:
       deny_access()

3. Helpdesk Access: Ensure helpdesk staff also use MFA to access sensitive systems.

4. Using Knowledge Bases and Self-Service

Reducing the number of support requests lowers the risk of identity fraud.

1. Create a Comprehensive Knowledge Base: Answer frequently asked questions (FAQs) online.
2. Self-Service Portals: Allow users to reset passwords, update contact information, and manage their accounts without helpdesk intervention.
3. Automated Chatbots: Use chatbots to handle simple requests and guide users to self-service resources.

5. Phone Verification

For phone support, verify the caller’s identity using these steps:

1. Ask for Identifying Information: Request details like:
   • Full name
   • Account number
   • Date of birth (use cautiously)
   • Address
2. Call Back Verification: Call the user back on a pre-registered phone number.
3. Out-of-Band Authentication: Send an SMS code to their registered mobile number and ask them to read it back.

6. Document Everything

Keep detailed records of all verification attempts, including:

• Date and time of the request
• User’s identifying information
• Verification methods used
• Outcome of the verification process (success or failure)

This documentation is crucial for auditing, training, and investigating security incidents.