For years, security teams have focused their attention on perimeter controls, authentication flows, and privileged access. Meanwhile, one of the most critical identity systems in the organisation has remained largely invisible, under-governed, and dangerously over-trusted.

I am talking about “Help Desks”.

Despite being responsible for high risk activities like, resetting credentials, unlocking accounts, issuing access, and resolving identity-related issues, most help desks operate outside the formal identity security model. They sit in a very grey zone between IT operations, HR processes, and human judgement.

Attackers understand this better than most defenders.

That’s why help desks have become one of the most reliable and scalable entry points for identity compromise.

The uncomfortable truth: Help Desks authenticate humans, not systems

Traditional IAM systems authenticate:

• Sessions
• Devices
• Tokens
• Credentials

Help desks authenticate:

• People

They do this using:

• Knowledge-based questions
• HR data
• Manager names
• Social context
• Tone and confidence

None of this is cryptographically verifiable.

From a security perspective, the help desk is effectively operating as an identity issuer, but without the controls, auditability, or assurance required for that role.

When a help desk resets a password or unlocks an account, it is not just resolving an IT issue. It is re-establishing trust in an identity, often with minimal evidence.

Why Attackers love the Help Desk

Modern attackers are not breaking systems, they are breaking “people and processes”.

Help desks are attractive because:

• They are trained to be helpful
• They operate under time or metric pressure
• They are measured on resolution speed
• They are incentivised to reduce friction
• They rely on incomplete information

Social engineering attacks exploit all these conditions.

An attacker doesn’t need to defeat MFA if they can convince a help desk to reset credentials. They don’t need to bypass conditional access if they can have a new device “temporarily approved”. They don’t need privileged access if they can impersonate someone who already has it.

From the attacker’s point of view, the help desk is not a vulnerability, it is a feature.

The failure of knowledge-based verification

Most help desks still rely on some form of knowledge-based verification:

• Date of birth
• Employee ID
• Manager name
• Last login time
• Recent ticket history

This information is:

• Easily obtained through OSINT
• Often shared internally
• Frequently reused across systems
• Rarely updated
• Not secret

Worse, once an attacker successfully passes these checks once, they can often learn how the system works, making subsequent impersonation easier.

Knowledge-based verification was never designed to withstand determined adversaries. It persists not because it works, but because there has been no viable alternative that fits human workflows.

That is until now.

Why IAM tools don’t protect the help desk

A common response is: “Surely IAM tools can solve this.”

They can’t and it’s not a failure of the tools.

IAM platforms are excellent at:

• Enforcing policies
• Managing access
• Evaluating signals
• Controlling sessions

They are not designed to:

• Verify humans in real-time conversations
• Operate in voice or chat-based interactions
• Provide portable proof of identity
• Work offline or outside corporate systems

As a result, help desks are forced to improvise.

Security teams know this gap exists but often treat it as “out of scope” or “an operational issue”. Attackers don’t make that distinction.

The real cost of help desk identity failures

The impact of help desk compromise is often underestimated.

Direct costs include:

• Account takeover
• Data exfiltration
• Ransomware deployment
• Fraud

Indirect costs are far greater:

• Incident response
• Forensics
• Legal exposure
• Loss of trust
• Regulatory scrutiny

There is also a hidden operational cost:

• Longer calls
• Repeated verification
• Escalations
• User frustration

Ironically, the very processes designed to reduce friction end up increasing it over time.

What a “verified help desk” actually means

A verified help desk does not mean adding more questions, scripts, or approvals.

It means changing what is being verified.

Instead of asking: “Do you know enough about this person to sound convincing?”

We ask: “Can you present cryptographic proof that you are this person?”

This is where Verifiable Credentials fundamentally change the equation.

How Verifiable Credentials transform help desk identity

With Verifiable Credentials:

• The organisation issues a credential that proves identity or role
• The employee holds it in a wallet they control
• When contacting the help desk, they present proof
• The help desk verifies it cryptographically
• No secrets are shared
• No knowledge is tested
• No judgement is required

The verification is:

• Instant
• Deterministic
• Auditable
• Resistant to social engineering

Most importantly, it works within human workflows, not just technical ones.

Why this is not “just another factor”

It’s tempting to think of this as another authentication method. It isn’t.

There is no login. No shared secret. No replayable token.

The credential is:

• Selectively disclosed
• Context-specific
• Cryptographically verifiable
• Revocable in real time

This is not MFA for the help desk. It is identity proofing at the moment trust is required.

Operational benefits security teams often overlook

Beyond security, verified help desks deliver:

• Shorter call times
• Fewer escalations
• Lower training burden
• Consistent outcomes
• Better user experience

Help desk staff no longer need to “decide” if someone sounds legitimate. The system does that for them. This reduces stress, error rates, and burnout.

If your help desk can reset credentials without cryptographic identity proof, you do not have strong identity controls, no matter how advanced your IAM stack looks on paper.

The help desk is not a peripheral system. It is one of the most powerful identity authorities in your organisation.

Verifiable Credentials don’t make help desks faster by cutting corners. They make them safer by removing trust assumptions entirely.