User Identity Verification
Service desk agents can verify the identity of the user calling in to the
Secure Service Desk by having the user authenticate with any of the
identity services the user has previously enrolled with.
Note that if the Enforce identity verification setting has been enabled, the user’s identity has to be verified before other actions (reset password, unlock computer, or update users’ enrollments) can be performed.
- Once the user has been found in Active Directory, click on the Verify identity tab.
- Click on the identity service you want the user to authenticate with. The user will be prompted on their computer to authenticate. Note that until the user has authenticated, the service desk agent should leave the Verify identity tab open.
- Once authenticated, the service desk agent will receive a success page, and all other service desk actions can be performed.
Alternatively, if the enrolled identity services are not used, the service desk agent can send a text message or email (Quick Verification) containing a code. This message will be sent to the mobile number or email address associated with the user in Active Directory. Once received, the user should read the code to the service desk agent to confirm their identity. Note that the option to send a code by text message will not appear on screen if the user’s mobile phone number has not been registered in Active Directory; the option to send a Quick Verification will not appear if the user’s email has not been registered in Active Directory.
Identity Verification sessions
To increase security, the time for which an identity verification is valid, is limited to the session length set by the administrator. This length can vary from 5 to 60 minutes (default is 15 minutes). Once a user has been verified, a session counter will appear at the top right of the window, next to the verification icon.
Configuring session duration
It is recommended to keep session duration as short as possible to avoid re-using previous verification sessions. Since service desk agents can manually extend sessions if necessary, session duration can be kept short while giving agents enough time to perform all tasks.
- Go to the Secure Service Desk admin section, and click on Settings.
- Adjust the slider named Identity verification session in minutes to the desired length.
- Click Save.
Extending the identity verification session
Service desk agents who require more time in the session to perform all necessary tasks, can extend the session duration in two ways.
At two minutes and at one minute before session expiration, agents will be alerted via pop-up that the session is about to expire. They can then choose to either dismiss the prompt by clicking No thanks, or to extend it by clicking Renew. In the latter case, the session will be reset to the session length indicated in the settings.
Agents can manually extend the session by clicking on the session counter at the top right of the window. They will be presented with a pop-up, and by clicking Renew, the session will be extended. Note that sessions can only be extended once at least half the session time has elapsed.
Identity Verification and security
If Enforce identity verification is enabled, the service desk agent is required to verify the identity of the user before being able to either reset the password, unlock the user’s computer, or manage enrollments such as updating a user’s registered mobile number, thereby increasing the security of the interaction. Once the identity is verified, the interaction with the Service Desk will rely on the creation of secure session tokens to maintain session integrity.
In a typical service desk session, the service desk agent issues an identification request to the user, using one of the user’s identity services. Once the user has authenticated with the identity service, the secure token is created. This token is shared between the specific service desk agent and the user for the duration of the session. Every interaction (password reset, unlock computer) is validated against this token. For the duration of the session, the token will only work for the service desk agent who initiated the identity verification, to perform action for the user who verified their identity.
Besides providing a secure way to authorize actions from the Service Desk, the tokens also allow for the creation of a continuous event log associated with every Service Desk session. This makes every session trackable and searchable. All information regarding the session is accessible through the Reporting menu. More information on logging features and reports can be found in the Reporting section above.