Tech Tip Tuesday: How IT Providers Can Safely Verify Users for Password Resets
When a user reaches out for a password reset, your support team becomes the gatekeeper. The recent Clorox vs. Cognizant $380M lawsuit illustrates the real-world stakes of failing to properly verify identities during high-risk account actions.
A password reset request seems routine - but it's one of the highest-risk interactions in IT support. An attacker who successfully social engineers a help desk agent into resetting credentials gains immediate, legitimate access to the target account. No malware. No exploit. Just a phone call and the right words.
This is exactly what happened in several high-profile breaches - and why the identity verification process for password resets and account recovery deserves the same rigor as any other security control.
The $380 Million Warning: Clorox vs. Cognizant
In a landmark legal case, Clorox sued its managed IT provider Cognizant following a 2023 cyberattack that caused over $380 million in damages. The attack was initiated through a help desk social engineering call - an attacker posed as an employee and persuaded a support agent to reset account credentials without proper verification. The attacker then used those credentials to deploy ransomware.
$380M+
Estimated damages
1 Call
Social engineering vector
0 Tech
Exploits needed
Why This Matters for MSPs and IT Teams
The Clorox case established that managed service providers have a duty of care around identity verification. If your help desk resets a password without proper verification and an attacker gains access, your organization - or your client's organization - may bear liability. This is no longer just a security best practice. It's a legal risk.
What NOT to Accept as Verification
Many help desks rely on information that is easily researched, guessed, or obtained through LinkedIn, company websites, or data breaches. These are not sufficient for verifying identity before a password reset:
Full name
Publicly available on LinkedIn
Job title or department
Easily found on company websites
Employee ID number
Often included in badge photos or documents
Email address alone
The very account being reset
Date of birth
Available in data breaches and social media
Last 4 of SSN
Frequently exposed in breaches
Strong Verification Methods That Work
The goal is to establish that the person requesting the reset is the legitimate account holder - not just someone who knows facts about them. Layer these methods based on the risk level of the account:
Tier 1 - Standard Accounts
- Manager approval via a separate, verified channel (Teams, phone call to known number)
- Push notification to pre-registered MFA app on a device already enrolled for the user
- Video call via a known Teams or Zoom meeting where agent can visually confirm identity with ID
Tier 2 - Privileged, Finance, or Executive Accounts
- Live video verification with government-issued photo ID required
- Dual approval: both manager AND IT security team must authorize
- Out-of-band notification to a verified personal phone number on file (call back, not inbound)
- A time-delay reset - account unlocked after a defined window, giving the real user time to flag unauthorized requests
Tier 3 - Domain Admin or Service Accounts
- In-person verification with physical ID - no remote resets allowed
- CISO or IT Director authorization required in writing
- Reset session must be recorded and stored with ticket
- Immediate security review triggered upon any reset request
Building a Defensible Verification Process
A strong verification process is only as good as its documentation and enforcement. Here's how to formalize it:
Classify Accounts by Risk
Not all accounts are equal. Create a tiered policy based on account privilege level, data access, and financial authority. Map each tier to a required verification method.
Document Everything in the Ticket
Log the verification method used, the information confirmed, and the agent who processed the request. This creates an audit trail and a deterrent.
Never Accept Inbound Phone Calls as Verification
A caller claiming to be an employee cannot be verified by their own phone number. Always call back on a number already on record in your HR or directory system.
Implement a "Challenge Window" for High-Risk Resets
Before resetting a privileged account, notify the account owner via a secondary channel (personal email, personal phone) and wait 30 minutes. If they didn't request it, they'll flag it.
Train Help Desk Staff to Recognize Social Engineering
Urgency, flattery, name-dropping, and pressure are all red flags. Train agents to slow down when they feel rushed and to escalate suspicious requests rather than accommodate them.
Red Flags to Train Your Team On
Social engineers exploit predictable human responses: urgency, authority, and the desire to be helpful. Train your help desk to treat these as automatic escalation triggers:
"I need this reset right now - I'm about to go into a board meeting"
"My manager said you'd take care of this immediately"
"I can't access my authenticator app, I left my phone at home"
"I'm traveling internationally and can't do video"
"The CEO asked me to call - I'm his executive assistant"
"I'll get fired if I can't log in - please just do it this once"
Policy Principle
The correct answer to all of the above is: "I understand this is urgent, but our policy requires [verification method]. I'm escalating this to my supervisor and we'll get you resolved as quickly as we can through the proper process."
Implementation Checklist
- Create a tiered account classification policy (standard, privileged, admin)
- Map each tier to specific, documented verification requirements
- Never allow a reset based solely on knowledge-based authentication (name, DOB, employee ID)
- Require manager approval for all standard account resets
- Require dual approval + video verification for privileged and executive accounts
- Implement a 30-minute challenge window and secondary-channel notification for high-risk resets
- Train help desk staff on social engineering recognition quarterly
- Log verification method and agent for every reset ticket
- Run simulated social engineering exercises against your help desk team
- Review and update your policy after any relevant security incident
Related from SOClogix
About SOClogix
SOClogix provides 24/7 managed security services, security awareness training, and advisory support to SMBs and mid-market organizations. We help IT teams and managed service providers build secure, defensible processes - including identity verification policies that stand up to both attackers and auditors.