For years, organizations have focused on strengthening authentication. They deployed multi-factor authentication (MFA), rolled out passwordless initiatives, enforced Conditional Access policies, and invested heavily in identity security. Yet account takeovers continue to happen.
Why? Because attackers have discovered something many security teams overlook: The easiest way to bypass identity controls isn’t to attack the technology. It’s to attack the people operating it. And nowhere is this more evident than the service desk.
The Service Desk Has Become Your Largest Authentication System
Think about the last password reset request your help desk handled. An employee calls because they’re locked out. The service desk agent asks a few questions. The answers sound legitimate. The password gets reset. Access is restored.
At first glance, this seems like a routine support interaction. In reality, something much more important just happened. Your help desk performed an authentication event.
The agent made a security decision: “Is this person really who they claim to be?”
That decision may provide access to Microsoft 365, VPNs, cloud applications, privileged systems, and sensitive business data. In many organizations, the service desk has become a manual identity provider. The problem is that most help desks still rely on verification methods designed for a world that no longer exists.
The Information Advantage Is Gone
Traditional verification methods assume that personal and organizational information remains private. Support teams commonly ask for:
-
Employee IDs
-
Department names
-
Manager names
-
Office locations
-
Phone numbers
-
Security questions
Twenty years ago, these questions worked. Today, they often provide little meaningful assurance. Modern attackers can gather information from:
-
LinkedIn
-
Corporate websites
-
Social media
-
Public records
-
Previous data breaches
-
Phishing campaigns
-
Data broker services
Many attackers know as much about an employee as the help desk does. Sometimes more. The problem isn’t that service desk agents are careless. The problem is that the verification process itself has become outdated.
AI Has Changed the Threat Landscape
Generative AI is accelerating this problem. Attackers can now:
-
Write convincing phishing messages in seconds
-
Build detailed employee profiles
-
Create realistic fake communications
-
Clone voices from publicly available recordings
-
Automate social engineering campaigns at scale
A support agent receiving a phone call can no longer assume that a familiar voice belongs to a legitimate employee. The rise of AI-powered impersonation attacks means organizations must rethink how identity is established during support interactions.
The question is no longer: “Can this person answer a few verification questions?”
The question is: “Can this person prove they are the legitimate account owner?”
Those are fundamentally different challenges.
Verification Is Not the Same as Identity Proofing
This distinction is becoming increasingly important.
Identity Verification
Verification asks: “Tell me something you know.”
Examples include:
-
Employee IDs
-
Security questions
-
Manager names
-
Personal details
Identity Proofing
Identity proofing asks: “Prove you are the actual person behind this identity.”
Examples include:
-
Government-issued identity documents
-
Biometric matching
-
Liveness detection
-
Fraud analysis
-
Trusted identity validation
Verification relies on information. Proofing relies on evidence. In an era where information is widely available, evidence becomes significantly more valuable.
Why MFA Doesn’t Fully Solve the Problem
Many organizations assume that MFA addresses this risk. It helps, yes. But it doesn’t eliminate it. MFA answers a specific question: “Does this person possess an enrolled authentication factor?” Identity proofing answers a different question: “Is this person actually the legitimate owner of that identity?” Those are not the same thing.
Consider an employee who:
-
Lost access to their MFA device
-
Replaced their smartphone
-
Is onboarding remotely
-
Needs account recovery assistance
At some point, a support process must determine whether the individual requesting assistance is legitimate. This is where many organizations still depend on weak verification methods.
The Rise of Identity Proofing for Service Desks
Forward-thinking organizations are beginning to treat service desk interactions as high-risk identity events. Instead of relying on information-based verification, they require users to establish proof of identity before sensitive account actions are performed.
This creates a significantly stronger trust model. Rather than asking “What is your employee number?”, organizations can ask: “Can you prove you are the legitimate account owner?” That shift dramatically reduces the effectiveness of social engineering attacks.
What Identity Proofing Looks Like in Practice
A modern identity proofing workflow typically includes:
-
The user initiates a password reset or account recovery request
-
The user provides a government-issued identity document
-
Automated validation checks the document’s authenticity
-
Liveness detection confirms the presence of a real person
-
Identity matching validates the relationship between the individual and the provided identity
-
The service desk proceeds only after successful proofing
Instead of trusting information that can be discovered online, the organization relies on evidence that is significantly harder to fake.
How Specops Verified ID Addresses the Challenge
Specops Verified ID was designed specifically to solve this growing identity assurance problem. Rather than relying on traditional security questions, organizations can use identity proofing to establish confidence before allowing sensitive account actions.
By combining identity document validation, biometric verification, liveness checks, and fraud prevention mechanisms, Specops Verified ID helps organizations verify that the person requesting assistance is who they claim to be.
This additional layer of assurance is particularly valuable for:
-
Password resets
-
Account recovery
-
MFA recovery
-
Remote employee onboarding
-
High-risk account changes
-
Privileged account support
Most importantly, it allows service desk teams to make security decisions based on evidence rather than assumptions.

Specops Verified ID
Questions Every Security Team Should Ask
Before approving another password reset request, consider the following:
-
Could an attacker find the answers to our verification questions online?
-
Would our help desk detect a sophisticated impersonation attempt?
-
How would we verify a remote employee who lost access to all authentication factors?
-
Can we prove that our account recovery process is resistant to social engineering?
-
Are we verifying identities, or merely checking information?
Many organizations discover that their biggest identity security gap isn’t their authentication system. It’s the process surrounding account recovery.
The Future of Service Desk Security
The next generation of attacks will increasingly target people rather than technology. As AI makes impersonation easier and personal information becomes more accessible, knowledge-based verification will continue to lose effectiveness.
Organizations that want to stay ahead of these threats must move beyond traditional security questions and adopt stronger identity assurance models. Identity proofing represents that next step. Because in today’s threat landscape, knowing who someone claims to be is no longer enough. You need confidence that they actually are.

Specops Verified ID – Verification Request
Ready to Evaluate Your Identity Recovery Risk?
Ask yourself one simple question: If an attacker called your service desk today, could they pass your current verification process? If the answer isn’t a confident “no,” it may be time to rethink how your organization establishes trust before granting access. That’s where identity proofing can make the difference. Don’t wait to book a demo!