Skip to main content
Back to Blog
July 29, 2025Tech TipsBy Matt Johnson

Tech Tip Tuesday: How IT Providers Can Safely Verify Users for Password Resets

When a user reaches out for a password reset, your support team becomes the gatekeeper. The recent Clorox vs. Cognizant $380M lawsuit illustrates the real-world stakes of failing to properly verify identities during high-risk account actions.

A password reset request seems routine - but it's one of the highest-risk interactions in IT support. An attacker who successfully social engineers a help desk agent into resetting credentials gains immediate, legitimate access to the target account. No malware. No exploit. Just a phone call and the right words.

This is exactly what happened in several high-profile breaches - and why the identity verification process for password resets and account recovery deserves the same rigor as any other security control.

The $380 Million Warning: Clorox vs. Cognizant

In a landmark legal case, Clorox sued its managed IT provider Cognizant following a 2023 cyberattack that caused over $380 million in damages. The attack was initiated through a help desk social engineering call - an attacker posed as an employee and persuaded a support agent to reset account credentials without proper verification. The attacker then used those credentials to deploy ransomware.

$380M+

Estimated damages

1 Call

Social engineering vector

0 Tech

Exploits needed

Why This Matters for MSPs and IT Teams

The Clorox case established that managed service providers have a duty of care around identity verification. If your help desk resets a password without proper verification and an attacker gains access, your organization - or your client's organization - may bear liability. This is no longer just a security best practice. It's a legal risk.

What NOT to Accept as Verification

Many help desks rely on information that is easily researched, guessed, or obtained through LinkedIn, company websites, or data breaches. These are not sufficient for verifying identity before a password reset:

Full name

Publicly available on LinkedIn

Job title or department

Easily found on company websites

Employee ID number

Often included in badge photos or documents

Email address alone

The very account being reset

Date of birth

Available in data breaches and social media

Last 4 of SSN

Frequently exposed in breaches

Strong Verification Methods That Work

The goal is to establish that the person requesting the reset is the legitimate account holder - not just someone who knows facts about them. Layer these methods based on the risk level of the account:

Tier 1 - Standard Accounts

  • Manager approval via a separate, verified channel (Teams, phone call to known number)
  • Push notification to pre-registered MFA app on a device already enrolled for the user
  • Video call via a known Teams or Zoom meeting where agent can visually confirm identity with ID

Tier 2 - Privileged, Finance, or Executive Accounts

  • Live video verification with government-issued photo ID required
  • Dual approval: both manager AND IT security team must authorize
  • Out-of-band notification to a verified personal phone number on file (call back, not inbound)
  • A time-delay reset - account unlocked after a defined window, giving the real user time to flag unauthorized requests

Tier 3 - Domain Admin or Service Accounts

  • In-person verification with physical ID - no remote resets allowed
  • CISO or IT Director authorization required in writing
  • Reset session must be recorded and stored with ticket
  • Immediate security review triggered upon any reset request

Building a Defensible Verification Process

A strong verification process is only as good as its documentation and enforcement. Here's how to formalize it:

Classify Accounts by Risk

Not all accounts are equal. Create a tiered policy based on account privilege level, data access, and financial authority. Map each tier to a required verification method.

Document Everything in the Ticket

Log the verification method used, the information confirmed, and the agent who processed the request. This creates an audit trail and a deterrent.

Never Accept Inbound Phone Calls as Verification

A caller claiming to be an employee cannot be verified by their own phone number. Always call back on a number already on record in your HR or directory system.

Implement a "Challenge Window" for High-Risk Resets

Before resetting a privileged account, notify the account owner via a secondary channel (personal email, personal phone) and wait 30 minutes. If they didn't request it, they'll flag it.

Train Help Desk Staff to Recognize Social Engineering

Urgency, flattery, name-dropping, and pressure are all red flags. Train agents to slow down when they feel rushed and to escalate suspicious requests rather than accommodate them.

Red Flags to Train Your Team On

Social engineers exploit predictable human responses: urgency, authority, and the desire to be helpful. Train your help desk to treat these as automatic escalation triggers:

"I need this reset right now - I'm about to go into a board meeting"

"My manager said you'd take care of this immediately"

"I can't access my authenticator app, I left my phone at home"

"I'm traveling internationally and can't do video"

"The CEO asked me to call - I'm his executive assistant"

"I'll get fired if I can't log in - please just do it this once"

Policy Principle

The correct answer to all of the above is: "I understand this is urgent, but our policy requires [verification method]. I'm escalating this to my supervisor and we'll get you resolved as quickly as we can through the proper process."

Implementation Checklist

  • Create a tiered account classification policy (standard, privileged, admin)
  • Map each tier to specific, documented verification requirements
  • Never allow a reset based solely on knowledge-based authentication (name, DOB, employee ID)
  • Require manager approval for all standard account resets
  • Require dual approval + video verification for privileged and executive accounts
  • Implement a 30-minute challenge window and secondary-channel notification for high-risk resets
  • Train help desk staff on social engineering recognition quarterly
  • Log verification method and agent for every reset ticket
  • Run simulated social engineering exercises against your help desk team
  • Review and update your policy after any relevant security incident

About SOClogix

SOClogix provides 24/7 managed security services, security awareness training, and advisory support to SMBs and mid-market organizations. We help IT teams and managed service providers build secure, defensible processes - including identity verification policies that stand up to both attackers and auditors.

Matt Johnson

Matt Johnson

CEO & Founder, SOClogix

Full bio →
Tech TipsIdentity VerificationHelp DeskSocial EngineeringPassword ResetMSP SecurityCloroxCompliance