At my MSP we have a need to implement a program to properly verify users when they call into the help desk and the nature of the request dictates we validate their identity. Since we're an MSP there's a mixed bag of MFA options in use.
The best method (both for security and ease of use for user and help desk) seems to be using the push option in Duo Mobile, but not all our clients have Duo mobile. Interested to see what others are using for this. Aside from selling Duo to clients just for this purpose (since they have other MFA options in place for remote access already) we're seeing challenges in maintaining PIN codes or security questions for all users, or implementing an SMS system our help desk could use to send codes to the users.
Some of our larger vendors, large as in National and Global, will send email verifications where I have to read the 6 digit code to them over the phone but I have no idea if they created that program or if another vendor created that for them. DUO would be more convenient and quicker than this but is less flexible. The more I think about it the more it seems like some type of email verification would be the best option here because everyone has it and it doesn't matter what platform your customers have.
Thank you for the response. We considered then dismissed verification via email since the majority (or all) requests that would require verification probably also mean the user can't access email (needs password reset, account locked out, remote access not working, etc.). This is in addition to anticipating this being part of a security policy. Email doesn't seem to be the way to go.
Good point! Being an MSP with many different customers, technologies, and issues definitely has it's own set of challenges. Hopefully, someone on here is currently or used to be employed at an MSP and has some insight on identity proofing. This might be a good question for the Spiceworks Community as well if you didn't already try there.