Bridge The Recovery Gap: How to Securely Handle MFA Resets

Nametag Team
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Companies are increasingly embracing multi-factor authentication (MFA) to supplement account security with a second trust factor like one-time passcodes (OTP), push notifications, and hardware keys. But as MFA adoption grows, companies quickly discover that it also means more users getting locked out. This in turn results in a surge in support tickets, frustrated employees and customers, and a cybersecurity nightmare.

Organizations who have deployed Microsoft Entra ID, Okta, Duo, and other identity providers need a better option for reprovisioning. Self-service account recovery through Nametag offers a seamless, highly-secure solution that is decentralized across IdPs and is built on workforce-grade identity verification technology that is uniquely secure against today’s most pernicious threat vectors like injection attacks and AI deepfakes

Introducing Nametag Autopilot: The First Secure Solution for Self-Service Account Recovery

Attackers Are Actively Exploiting MFA Recovery Processes

Passwords are complicated enough to manage and remember. But MFA also has its limitations: phones are easily lost, stolen, or upgraded before a user has updated the associated accounts. And when someone can't reset their own MFA or password, they have to contact IT - creating an expensive helpdesk ticket.

Account recovery is expensive: Gartner has found that up to 50% of helpdesk tickets today are for user lockouts, and Forrester found that every password reset costs your organization $87 (adjusted for inflation). Meanwhile, a World Economic Forum report estimates that employees spend an average of 11 hours each year resetting passwords.

50% of helpdesk tickets are just for password resets, every one of which costs the organization $87 or more to resolve.

Account recovery is a security vulnerability: So-called "security" questions are by far the most common form of verification for account recovery. But the answers to most security questions are already known to attackers, whether through stolen records, dark-web marketplaces, or publicly avialable on social media. Add in the fact that deepfake video and audio is now used to carry out vishing attacks and deceive people over the phone, and it becomes clear that existing helpdesk verification technology is no longer enough.

Hong Kong Multinational Loses $25 Million in AI Deepfake Attack: A Wake-Up Call for Cybersecurity

With both user lockouts and vishing attacks on the rise, IT helpdesk teams are inundated and overwhelmed with conflicting priorities: meeting performance metrics to resolve tickets, while under pressure to prevent cyber-criminals from gaining unauthorized network access. The costs of these lockouts cascade across the company, spanning cybersecurity, staffing/tooling for the helpdesk agents, and valuable productivity hours that are lost while employees struggle to regain access.

Threat actors are actively exploiting insecure MFA recovery processes to take over accounts, then steal from customers, exfiltrate data and deploy ransomware.

You're Only As Secure As Your Account Recovery Process

Popular Identity & Access Management (IAM) like Okta and Microsoft Entra ID recommend using security questions, voice calls or SMS texts for user account recovery, despite the security risks involved. Many high-profile data breaches have been tied back to insecure MFA methods and vishing attacks. This is not surprising, as the vast majority of data breaches are caused by human error, and helpdesk agents are ill-equipped to detect and prevent bad actors using social engineering and AI deepfakes.

Bridge the MFA Gap with Secure, Self-Service Account Recovery

Nametag provides ID verification solutions purpose-built for high risk transactions like account recovery. Nametag’s technology uses the advanced security capabilities of modern smartphones to detect and prevent cyber-criminals from gaining unauthorized access to employee accounts, with native functionality that protects organizations from deepfakes, vishing, and social engineering attacks.

In seconds, Nametag verifies a user's biometrics against a government-issued ID to provide the highest level of security and confidence, without adding friction for employees. Once a user has enrolled with Nametag, they can re-verify themselves with just a selfie.

Nametag works out-of-the-box with pre-built integrations to major Identity Providers (IdPs) like Microsoft Entra ID, Okta, Duo, and OneLogin. Set up is so easy, we often hear that deploying Nametag Autopilot can seem anti-climatic; people can’t quite believe that it’s so fast and easy! But what’s never an anti-climax is the results: right from day one, you’ll immediately see your number of account recovery tickets drop off a cliff.

And over time, you’ll enjoy the peace of mind of knowing that a critical security vulnerability—account recovery—has been remediated.

Nametag customers recognize more than $500,000 in savings for every 1,000 employees by eliminating 20-50% of their helpdesk tickets. Our global customer base spans financial services, insurance, information technology, social media, and other high-risk industries.

“The Nametag implementation was actually incredibly simple. We're immediately starting to see decreases in tickets going to support, and the time to resolve those tickets, and increases in user happiness. We've seen fantastic results in time-to-resolve in deflecting tickets from coming into support, and just the overall experience that users are having as being positive." -- Eric Richard, CISO & SVP Engineering at HubSpot

Read our quick-start guides to see how easy it is to implement; watch demo videos of our Autopilot self-service and Copilot agent solutions; or contact us for more info.

Secure your helpdesk against social engineering and impersonators.
Accept All Cookies