Verifying Identity in a Highly Secure Environment
Recently, one of our clients presented us with a seemingly simple problem: How do you verify a remote user’s identity when they misplace their smart card or security key? Now, this is a security-first organization, on the cutting edge of zero trust architecture; there’s no “magic link” email or security questions that can satisfy their requirements. So, we had to get creative.
Let’s walk through some of the obvious ideas and why they would be flatly rejected:
⦁ Visual Identification / ID Card via Video Conference – One word (two words?): AI. Mocking up a fake license or passport takes a couple minutes. Real-time facial and voice filters are already, like, 80% convincing; it’ll be less than two years before we all live in a post-reality nightmare. But that’s a post for another time.
⦁ Security Questions – Most organizations ask the same 5-10 questions, which means a compromise of an external system could compromise our customer’s system. On the flip side, if you get too creative with your questions, users won’t remember their answers anyway. Plus, if the helpdesk agent happened to be a bad actor, they could just call in the next day and impersonate the user to gain access.
⦁ Password Reset Email Link – Even utilizing a strict ZTA model, this organization doesn’t permit BYOD. So they can’t get into their laptop since they don’t have their authentication device, and not all users have company-issued mobile devices (yet).
I repeat, this is a very secure organization.
After some brainstorming, we decided that the best way to tackle this was to implement an identity confidence score, similar to how modern spam filters or MFA work. If we couldn’t trust any one method, we would aggregate multiple methods to increase our confidence.
We devised a decision tree that allowed helpdesk users to perform several identity validation checks, each with a weighted score based on how reliable that method was. We also made the process tedious and subject to strong scrutiny so that users wouldn’t lose their freaking authentication devices.

Is it foolproof? No security system is. But short of requiring the user to come in and submit a blood sample for DNA sequencing (identity confidence score: +97), this multi-factor approach provides adequate protection against snatch-and-grab device theft, internal bad actors, and emerging exploits like generative AI. Even when users are finally granted access, their accounts are flagged for deeper monitoring for unusual activity.

Aaron Firouz
EVP, Chief of Operations
Hekima Business Solutions