The helpdesk open door
Pillar 1 of 5 · 7 min read · Grounded in deepfake and social engineering research — Ciptor & HYPR & S&P Global 2026
See how this applies to your environment
Book a 30-minute briefing with Ciptor. We'll walk through what live-fire validation typically uncovers in environments like yours.
The assumption
Knowledge-based authentication and a visual Zoom check keep the IT helpdesk secure during a password reset request.
The helpdesk account recovery process is, by necessity, the one place in your identity architecture where a human must override the authentication system. Security teams design it carefully: challenge questions, employee ID verification, callback numbers on file, and increasingly a video call to visually confirm the requester's identity. The assumption is that a sufficiently thorough human check creates a secure recovery channel that attackers cannot penetrate without physical access to the employee.
Is your helpdesk recovery process still KBA-based?
Book a briefing. We'll walk through exactly what a cryptographic recovery workflow looks like operationally — and how quickly it can be deployed alongside your existing helpdesk tooling.
The reality
Deepfake audio and video tools are purpose-built to defeat visual verification. The helpdesk is now the most consistently targeted bypass point in the enterprise identity chain.
The threat group Scattered Spider — responsible for a series of high-profile enterprise breaches — established helpdesk social engineering as a primary initial access technique years before AI-generated media became widely available. Their operators called helpdesks, impersonated employees convincingly enough to pass verbal verification, and obtained password resets that gave them footholds in environments protected by multi-million-pound security stacks.
87% |
Of organisations that experienced an AI-based attack encountered some form of audio or video deepfake — making synthetic media the dominant attack format among AI-enhanced threat actors.Source: HYPR / S&P Global — State of Passwordless Identity Assurance 2026 |
Today, the Zoom check — which some security teams added specifically in response to voice-only social engineering — is itself compromised. Real-time video deepfake technology, capable of overlaying a convincing synthetic face and voice onto a live video stream, is available as a consumer product. The same research that documented a fraudulent Zoom meeting using deepfake participants to defraud a multinational company of $25 million is now the reference case for a capability that has only improved since.
45% |
Of AI-attack victims encountered pre-recorded deepfake video; 43% encountered deepfake audio on live calls — both now standard components of identity impersonation campaigns.Source: HYPR / S&P Global — State of Passwordless Identity Assurance 2026 |
"The helpdesk is not a security control. It is a human process running inside a security environment. Human processes are the most reliable attack surface in any enterprise, because humans are designed to respond to social pressure in ways that security tools are not." — Syndis red team lead, enterprise assessment debrief 2025
The KBA layer fails independently of the deepfake problem. Challenge questions — mother's maiden name, first car, childhood street — are trivially answerable from OSINT gathered from LinkedIn, Facebook, and data broker aggregators. For senior employees whose professional history is extensively documented online, a motivated attacker can answer a full KBA challenge without a single phone call.
Pillar 1 — Adversary tactics
Vol. 1 The endpoint illusion
Vol. 2 The fallacy of network-delivered codes
Vol. 3 The helpdesk open door
Vol. 4 Sovereign hardware risk
Vol. 5 The hybrid infrastructure blindspot
The blueprint
Eliminate traditional helpdesk KBA entirely. Deploy cryptographic identity proofing with biometric liveness detection for all account recovery workflows.
The fix is structural: remove the human judgment call from the authentication decision, and replace it with a cryptographic proof that deepfakes cannot generate and OSINT cannot supply.
Why liveness detection is not optional
Biometric identity verification for helpdesk workflows must include active liveness detection — not static photo comparison. Static image matching was defeated by printed photographs. Video-based matching without liveness is defeated by looped video. Active liveness detection requires the system to prompt unpredictable real-time responses — head movements, blinks, verbal responses to randomly generated challenges — that a pre-recorded deepfake cannot replicate.
The distinction matters at the procurement stage. Many identity verification (IDV) solutions marketed as biometric are photo-matching only. Specifying active liveness detection as a mandatory requirement eliminates the majority of deepfake attack vectors against the recovery workflow.
The three-layer account recovery model
A hardened helpdesk recovery workflow replaces KBA with a layered cryptographic process:
- Layer 1 — Hardware token binding: The recovery request must originate from a registered device. If the employee's hardware security key is present and can be verified, recovery proceeds with minimal friction. This resolves the majority of legitimate recovery requests — employees who lose access but still have their registered device.
- Layer 2 — Biometric liveness for deviceless recovery: When the registered device is unavailable (lost, stolen, damaged), AI-driven identity proofing with active liveness detection replaces the human verification call. The employee completes a short biometric challenge; the system makes the trust decision cryptographically rather than socially.
- Layer 3 — Out-of-band manager attestation: For high-privilege accounts where additional assurance is warranted, a cryptographically signed attestation from the employee's line manager — delivered through a separate authenticated channel — provides a second signal before recovery completes.
What to do with the helpdesk agents
Removing KBA from helpdesk workflows does not remove the helpdesk. Agents shift from making authentication trust decisions — which they were never well-equipped to make — to managing the recovery queue, supporting users through the biometric flow, and escalating edge cases. The cognitive load decreases; the error rate decreases with it.
Internal metrics consistently show that removing KBA from the recovery process reduces average handle time per recovery ticket by 35–50%, because agents no longer conduct the verification interview. The liveness check runs asynchronously; the agent confirms completion rather than conducting it.
The measurable outcome
Helpdesk-initiated credential compromise is one of the most expensive breach vectors because it provides an attacker with a legitimate, freshly-issued credential that bypasses every detection rule built around stolen or reused credentials. Eliminating the social engineering attack surface at the recovery layer removes a category of breach risk that no endpoint control, SIEM rule, or security awareness training programme can reliably prevent — because the attack exploits a process, not a technical vulnerability.
Sources & methodology
Deepfake attack data: HYPR / S&P Global 2026. Scattered Spider helpdesk methodology: CISA advisory AA23-243A. Zoom deepfake fraud reference: Hong Kong Police, February 2024. MITRE ATT&CK T1656 (Impersonation)
Next in the series
Vol. 4 — Sovereign hardware risk
Not all FIDO2 tokens are equal. The manufacturing supply chain of a hardware security key determines whether it is a control or a liability.
