Building Confidence in Support Comms with Caller Verify at Okta

In many of the most impactful incidents of the past two years, attackers gained privileged access to systems by tricking IT support personnel into resetting the passwords and MFA factors of system administrators.

Armed with access to privileged accounts, attackers were able to expand their access further by accessing directories of hashed passwords (NTDS.dit) stored in every Microsoft Active Directory environment. 

In most organizations, the challenge is how to validate the identity of callers to internal help desks or other technical teams before performing user lifecycle events. The days when the name of your childhood best friend or your first car model provided enough assurance to validate your identity are long gone.

So, when an employee does call for help, how do technical support personnel validate with confidence that the caller on the line is who they say they are? These processes need to be revisited, especially given recent advances in “deepfake” technology.

That’s where Caller Verify can help.

What is Caller Verify?

Caller Verify is an application that enables IT support to extend the multi-factor authentication prompts available via Okta Verify to quickly and securely verify the identity of inbound callers. 

Caller Verify is a third-party developed application awarded Okta’s "2024 AMER Rising Star Partner of the Year” winner. It can integrate with ITSM and CRM solutions, such as ServiceNow or Salesforce, to require that all inbound callers satisfy an MFA challenge before a support ticket is unlocked for use.

Caller Verify is compliant with the following regulations:

• Office of the Superintendent of Financial Institutions (OSFI) Guideline B-13 Technology and Cyber Risk Management, subsection 3.2.7 Defend

• Health Insurance Portability and Accountability (HIPAA) Security Rule, 45 CFR § 164.308(a)(1)(ii)(D)

• Payment Card Industry Data Security Standard (PCI DSS), Requirement 7.1

• General Data Protection Regulation (GDPR), Article 32

• National Institute of Standards and Technology (NIST), Level 3

This solution allows Okta IT admins to enhance our employee experience with a timely response to confident, authenticated communications. By sending a prompt to the caller using Okta Verify, the technical support team can validate the caller’s identity before providing any level of assistance, protecting both the organization and the user.

Okta’s Use Case

Okta integrated Caller Verify into various IT support processes well over 12 months ago. Our use of Caller Verify ensures that only authorized employees can ask IT support to perform sensitive operations that involve an Okta account.

In line with Okta’s ongoing commitment to hardening our corporate infrastructure, Okta requires that users satisfy all authentication challenges using phishing-resistant authentication methods (such as FastPass with an Okta Verify-enrolled device, or a registered Yubikey), including the challenges required to open a support request.

Stay secure

Caller Verify plays an important role in Okta’s end-to-end ability to protect all enrollment, authentication and recovery flows with phishing-resistant authentication. 

To learn about Okta’s use of ID Verification to secure enrollment and recovery, read on for how we leverage Okta’s integration with Persona.