It is critical that Help Desk Administrators verify the end user’s identity before performing any Help Desk operations on the user’s behalf. Recommended actions include:
- Call the end user back on a phone owned by the organization and on a number that is already stored in the system.
- Send the user an e-mail to a company e-mail address. If possible, use encrypted e-mail.
- Work with the employee’s manager to verify the user’s identity.
- Verify the identity in person.
- Use multiple open-ended questions from employee records (for example: Name one person in your group; What is your badge number?). Avoid yes/no questions.
Note: Be wary of using mobile phones for identity confirmation, even if they are owned by the company, as mobile phone numbers are often stored in locations that are vulnerable to tampering or social engineering.