Notifications
Clear all
Topic starter
22/06/2026 10:07 am
TL;DR: RSA says Help Desk Live Verify now extends identity verification to users without a registered authenticator, including contractors and partners, while also covering high-risk workflows such as privilege escalation, VPN recovery, and payment approval, according to RSA Security. The shift matters because help desk attacks keep targeting human identity boundaries that many IAM programmes still leave outside verified coverage.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams verify users in help desk recovery workflows?
A: Security teams should use a separate verification flow for recovery cases, not the same checks used for routine sign-in.
Q: Why do contractors and partners create identity assurance gaps?
A: Contractors and partners often sit outside the standard authenticator, device, and lifecycle assumptions built for employees.
Q: What breaks when help desk identity checks rely on shared secrets?
A: Shared secrets break because they can be guessed, coerced, phished, or reused across workflows.
Practitioner guidance
- Separate help desk recovery from ordinary authentication Create a distinct verification workflow for password reset, MFA recovery, and account reproofing so support agents cannot rely on the same signals used for day-to-day login.
- Map high-risk workflows to step-up identity proofing Require stronger proofing for privilege escalations, VPN recovery, wire approvals, and HR changes than you use for standard access requests.
- Add a proofing path for extended workforce users Define how contractors, partners, and temporary workers are verified when they do not have a corporate authenticator or managed device.
What's in the full announcement
RSA Security's full post covers the operational detail this post intentionally leaves for the source:
- The exact bi-directional verification workflow used for users without a registered authenticator.
- The specific extended-workforce and government identity proofing use cases RSA says the update supports.
- The workflow coverage for privilege escalations, VPN recovery, and HR changes that this post only summarises.
- The private preview and general availability timing for the new Help Desk Live Verify capability.
👉 Read RSA Security's update on Help Desk Live Verify for extended workforce users →
Help desk identity verification for contractors and partners?
Explore further
22/06/2026 10:52 am
Extended workforce identity is now a boundary problem, not just an enrolment problem. Contractors, partners, and temporary staff are often treated as exceptions to the main IAM design, which leaves recovery and approval flows weaker than primary authentication. That creates a policy gap in the most sensitive part of the identity journey. Organisations need to treat those excluded populations as first-class subjects in verification design, not as manual exceptions.
A few things that frame the scale:
- Social engineering attacks on IT help desks have cost organizations hundreds of millions of dollars in losses and fines, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to our Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when a fraudulent recovery or approval occurs?
A: Accountability sits with the organisation that designed the workflow and the controls that govern it. If a recovery or approval path allowed action without adequate verification, that is a governance failure, not just a user mistake. Frameworks such as NIST Cybersecurity Framework 2.0 help teams assign control ownership and review the process.
👉 Read our full editorial: RSA help desk identity verification closes the extended workforce gap
