Your service desk might be undermining your security controls

Even the strongest authentication strategies can be undermined by weak service desk processes. Learn how self-service password reset and identity verification reduce risk while improving efficiency.

Security leaders worldwide are strengthening authentication to keep pace with increasingly sophisticated cyberattacks. Multifactor authentication (MFA), single sign-on (SSO), and other passwordless authentication methods have raised the bar to keep organizations secure.

But despite these controls, many organizations still have a bypass path that sits outside the formal security architecture: the service desk. Security controls like MFA and SSO are difficult to bypass directly. Convincing a human being to reset a password is much easier.

The rise of service desk-targeted attacks

There is clear evidence that attackers are actively exploiting the service desk security gap:

• Social engineering remains a primary breach vector, accounting for 60% of data breach incidents
• High-profile attacks have demonstrated how a single successful impersonation at the service desk can lead to hundreds of millions lost due to data compromise
• Industry and government sources increasingly identify the service desk as a growing attack surface, not just a support function

The pattern is consistent:

1. Attackers gather basic information about a target user.
2. They contact the service desk, often impersonating that user.
3. They exploit urgency, authority, or familiarity to pressure the service desk technician.
4. The technician performs a password reset or account recovery action.
5. Attackers gain legitimate access, bypassing front-line controls entirely.

The verification gap in password resets

At the center of this issue is identity verification.

When a user authenticates through standard channels, identity is verified through strong, consistent mechanisms, such as MFA factors, device trust, biometric signals, or other controls.

When a user calls the service desk, however, verification often relies on weaker methods:

• Knowledge-based questions (e.g., date of birth, employee ID)
• Static information that may be publicly available or easily obtained
• Informal judgment by the support analyst or technician

These methods are inherently vulnerable to social engineering. They’re also inconsistent. Different analysts may apply different levels of scrutiny to password reset or account recovery requests. Policies may exist, but they’re difficult to enforce uniformly in real time.

This creates a gap: organizations that have strong authentication at login may have weak or variable verification during recovery. Attackers target that gap because it allows them to bypass otherwise effective defenses.

Why this gap persists

Most organizations are aware that password resets carry risk. Yet the service desk remains heavily involved in security workflows.

There are practical reasons for this:

• Users need rapid restoration of access to maintain productivity
• Legacy systems may not support modern recovery methods
• Service desk processes are deeply embedded in IT operations

At the same time, password-related tickets continue to consume a large share of service desk resources.

This creates a dual problem:

1. Security risk: inconsistent identity verification during high-risk actions
2. Operational burden: high volume of manual password reset requests

These two issues reinforce each other. The more frequently the service desk performs resets, the more opportunities attackers have to exploit the process.

Removing the human-mediated reset path

Addressing this issue doesn’t require abandoning the service desk. It requires reducing its role in high-risk identity workflows. Specifically, it means removing or minimizing human-mediated password resets.

Self-service password reset (SSPR) is the most direct way to achieve this.

When implemented with strong authentication, SSPR replaces:

• Ad hoc identity verification
• Analyst-dependent decision-making
• Social engineering exposure

with:

• Consistent, policy-driven authentication flows
• Automated enforcement of identity assurance
• Reduced reliance on human judgment under pressure

This shift reinforces security controls. Instead of asking whether a service desk analyst made the right call, the organization automatically enforces the right process every time.

What effective SSPR looks like

Not all SSPR implementations deliver the same level of security. Basic self-service approaches that rely on weak factors or knowledge-based verification replicate the same vulnerabilities in a different format.

Effective SSPR introduces stronger, more reliable authentication methods that are low-friction for users. These can include NIST-aligned authentication factors, such as biometric authentication (e.g., facial recognition) and mobile-based authentication (e.g., secure push via an identity app), as well as other factors such as SMS, email, or PIN.

This approach matters because password resets are high-risk events that should require the same, or stronger, identity assurance as the initial authentication. When SSPR is implemented with strong factors, it becomes a controlled extension of the identity system rather than a risky workaround.

Extending identity trust into the service desk

Many organizations treat the service desk as an operational function separate from identity security. Today, that separation no longer holds. With attackers targeting the service desk as a primary access path, identity assurance must apply there as well.

This means:

• Eliminating weak identity verification methods wherever possible
• Standardizing authentication requirements across all access pathways
• Reducing reliance on human judgment for high-risk actions

SSPR is the first step because it removes the most common and most exploited workflow from the service desk.

Over time, this approach can be extended further, incorporating stronger identity verification and identity proofing into remaining service desk interactions, such as unlocking an account or requesting additional access to apps and data. The goal is a consistent model that integrates the service desk into the overall identity trust framework.

A practical step using your existing investment

For organizations already using Imprivata Enterprise Access Management (EAM), existing capabilities can be extended to SSPR via the same solution platform.

This allows teams to:

• Modernize password recovery without disrupting workflows
• Replace weak verification methods with stronger alternatives
• Reduce help desk burden while improving security outcomes

Most importantly, it addresses a real, current security weak spot, not a hypothetical future risk.

From here, service desk identity verification for identity proofing can be added to address the weak point in the security chain that malicious actors are increasingly exploiting.

Imprivata closes the gap

Security investments often focus on strengthening the front door through authentication methods, device trust, and access policies.

But attackers don’t always use the front door. They look for side entrances, exceptions, and human-mediated processes that operate outside of strict security controls. The service desk is one such path. In addition to SSPR, Imprivata offers identity verification for patient access and is working towards extending this capability to support service desk caller identity verification very soon, providing a more secure and user-friendly method of identity proofing to protect against attempts to exploit the help desk through social engineering.

Service desk identity verification, combined with strong authentication-based SSPR, removes high-risk workflows from human intervention and brings them under consistent, enforceable control.

For CISOs and security leaders, this is a practical, immediate step:

• Reduce known service desk security risks
• Limit exposure to social engineering attacks
• Strengthen identity assurance across all access pathways

In a mature security environment, there should be no easy bypass. Using SSPR, combined with service desk identity verification for identity proofing, helps ensure that the service desk isn’t one.

Request a demo to discover what EAM with SSPR can do for your organization. If you are already an Imprivata customer, contact your sales or customer success representative to find out how to add SSPR to your current EAM solution, and to learn more about the upcoming service desk identification capabilities.