Verify Identity

Until a user’s identity has been verified, a red user icon with a strike through it will appear in the top right corner of the service desk interface. Service desk agents can verify the identity of the user calling in to the Secure Service Desk by having the user authenticate with any of the identity services the user has previously enrolled with. Note that if the Enforce identity verification setting has been enabled, the user’s identity has to be verified before other actions (reset password, and unlock computer) can be performed.

Once the user has been found in Active Directory (see Search for a user), click on the Verify identity tab.
Click on the identity service you want the user to authenticate with. The user will be prompted on their computer to authenticate. Note that until the user has authenticated, the service desk agent should leave the Verify identity tab open.
Once authenticated, the service desk agent will receive a success page, and all other service desk actions can be performed.

Alternatively, if the enrolled identity services are not used, the service desk agent can send a text message, Email, or PingID push (Quick Verification) containing a code. This message will be sent to the mobile number associated with the user in Active Directory or appear in the PingID app if that option was chosen. Once received, the user should either read the code to the service desk agent to confirm their identity, or acknowledge the push message from the PingID app. Note that the option to send a code by text message will not appear on screen if the user’s mobile phone number has not been registered in Active Directory; the option to send a Quick Verification will not appear if the user’s email has not been registered in Active Directory.

Quick Verification with Symantec VIP and Okta

Quick verification with Symantec VIP/Okta works in much the same way as PingID.

Note

Make sure the user is enrolled with Symantec VIP/Okta in order to use this identity service.

Verifying by push notification

(available if the user has a push-enabled device enrolled and active with Symantec VIP/Okta, or if text messages have been enabled for Okta)

Click on the Symantec VIP/Okta tab in Quick Verification.
Click Start; a push notification will be sent to the user being verified.

Note

For Okta, if the user has access to multiple notification methods, an additional screen will be shown to the Service Desk agent where they can choose which type of message to send: Text Message, Push request, Enter Code. If only one method is available, this will be selected automatically. See the section Verify by code for more information.
The user can acknowledge the push notification which will verify their identity.

Verifying by code

Click on the Symantec VIP/Okta tab in Quick Verification.
Click Start.
Click the Enter Code link.

Note

For Okta, if the user has access to multiple notification methods, an additional screen will be shown to the Service Desk agent where they can choose which type of message to send: Text Message, Push request, Enter Code. If only one method is available, this will be selected automatically.
In case of Symantec VIP, if the user has the Symantec Desktop App installed, they can retrieve the code from there. Alternatively, the agent can have a code sent to them via SMS or phone call by clicking the appropriate button. Note that this option will be shown automatically if the user only has SMS notification enabled.
Have the user read the code, and enter it in the field, then click Verify.

Manager Identification

There may be situations in which users are unable to verify their identity themselves due to communications/data restrictions. In those cases it can be beneficial to have the user's manager identify their identity for them.

To enable Manager Identification:

In Authentication Web go to Service Desk, and access the Settings tab.
Check the Manager identification as Quick verification checkbox.
Click Save.

To use Manager Identification as Quick Verification:

When the user calls into the Service Desk, click on Verify Identity.
Under Quick Verification, choose Manager Identification. You will see a message saying "You can identify the identity of [user_name] by sending a verification request to the manager of [user_name]."
Click Start.
The manager (if registered as such in Active Directory) will receive an email asking to verify the user. It is up to the manager (and the user in question) to make sure the correct user is verified (e.g. by calling the user).
The manager clicks Continue in the Manager Identification email. The manager will be redirected to a browser window with the Service Desk verification request.
The manager clicks Verify to verify the user.

Warning

It is essential in these types of scenarios that the manager is aware of the Service Desk call, and that they ascertain that it is in fact the user in question who is trying to get verified.

Identity verification and security

If Enforce identity verification is enabled, the service desk agent is required to verify the identity of the user before being able to either reset the password or unlock the user’s computer, thereby increasing the security of the interaction. Once the identity is verified, the interaction with the Service Desk will rely on the creation of secure session tokens to maintain session integrity.

In a typical service desk session, the service desk agent issues an identification request to the user, using one of the user’s identity services. Once the user has authenticated with the identity service, the secure token is created. This token is shared between the specific service desk agent and the user for the duration of the session. Every interaction (password reset, unlock computer) is validated against this token. For the duration of the session, the token will only work for the service desk agent who initiated the identity verification, to perform action for the user who verified their identity.

Traceability

Besides providing a secure way to authorize actions from the Service Desk, the tokens also allow for the creation of a continuous event log associated with every Service Desk session. This makes every session trackable and searchable. All information regarding the session is accessible through the Reporting menu. More information on logging features and reports can be found in the Reporting section above.