Skip to content

MFA & Password Reset Verification

This page provides the step-by-step workflow that help desk agents follow when an employee requests a password reset, MFA reset, or other sensitive credential change. Print this page or bookmark it as a quick reference for your team.

Before You Begin

Make sure the following are in place:

  • A help desk Link has been created in the Polyguard Console (see Setting Up Polyguard for Help Desk)
  • You have access to either your ticketing system (with the Polyguard integration installed) or the Polyguard Console directly
  • The employee has the Polyguard Mobile app installed on their smartphone

What if the employee doesn't have the app?

If the employee has not yet installed Polyguard Mobile, the verification link will guide them through downloading and setting up the app. This adds a few minutes to the process on the first use, but subsequent verifications will be fast.

The Verification Workflow

Step 1: Receive the Reset Request

An employee contacts the help desk -- by phone, chat, email, or ticket -- requesting a password reset, MFA reset, or other credential change.

Do not proceed with the reset until identity verification is complete.

Step 2: Initiate the Trust Check

  1. Open the employee's ticket.
  2. Click the Polyguard Verify button (or equivalent action in your integration).
  3. Confirm the employee's email address or phone number where the verification link should be sent.
  4. Click Send.
  1. Open console.polyguard.ai and navigate to Links.
  2. Find your help desk Link and click Send Trust Check.
  3. Enter the employee's email address or phone number.
  4. Optionally, add a reference note (e.g., the ticket number) for audit purposes.
  5. Click Send.

The employee will receive an email or text message containing the verification link.

Step 3: Monitor Verification in Real Time

After sending the trust check link, you can watch the verification progress in real time:

  1. The Polyguard Console or your ticketing system sidebar will show the trust check status.
  2. Status updates as the employee progresses:
Status Meaning
Sent The verification link has been delivered to the employee
Opened The employee has opened the link
In Progress The employee is completing identity verification in the Polyguard Mobile app
Verified Identity verification is complete -- the employee is confirmed
Failed Verification was not successful (see decision tree below)
Expired The link expired before the employee completed verification

Stay on the line

If the employee is calling by phone, keep them on the line while they complete verification. Most verifications take about 30 seconds. You can confirm completion together in real time.

Step 4: Confirm the Verified Identity

Once the status changes to Verified, review the verification details:

  • Name -- The verified name from the employee's identity credential
  • Proofs completed -- Which identity proofs were satisfied (e.g., Face Biometric, Device Identity)
  • Device -- Device attestation result confirming an uncompromised device
  • Location -- The employee's state and country (if Geographic Location was required)
  • Timestamp -- When the verification was completed

Confirm that the verified name matches the employee's record in your directory or HR system. If everything checks out, proceed with the reset.

Step 5: Complete the Reset

After confirming the employee's identity:

  1. Proceed with the password reset, MFA reset, or account change following your organization's standard procedures.
  2. Record the Polyguard verification session ID in the ticket for audit purposes.
  3. Close or update the ticket as appropriate.

When Verification Fails

If a verification attempt is not successful, follow this decision tree to determine the appropriate next step.

Decision Tree

Verification status: Failed

  • The employee's face did not match their credential.

    • Ask the employee to try again in a well-lit area, without glasses or a hat.
    • If it fails a second time, escalate to your security team. Do not proceed with the reset.

  • Device attestation failed.

    • The employee's device may be jailbroken, rooted, or otherwise compromised.
    • Ask the employee if they have another device with the Polyguard Mobile app installed.
    • If no alternative device is available, escalate to your security team.

  • The employee did not complete verification within the time limit.

    • Resend the trust check link.
    • Confirm the employee received the email or SMS. Check for typos in the contact information.

Verification status: Expired

  • The link was not opened or verification was not completed before the link expired.
  • Send a new trust check link.

When in doubt, escalate

If a verification fails and you cannot resolve it through the steps above, do not proceed with the reset. Escalate to your security team for manual review. A failed verification may indicate a social engineering attempt.

Handling Edge Cases

Employee does not have a smartphone

If the employee does not have access to a smartphone with the Polyguard Mobile app, they cannot complete the standard verification workflow. In this case:

  • Follow your organization's fallback verification procedure (such as in-person verification with a manager or physical ID check).
  • Document that the standard Polyguard verification was not possible and the reason why.

Employee is locked out of their phone

If the employee cannot access the phone where Polyguard Mobile is installed:

  • They can install Polyguard Mobile on a different device and re-verify their identity.
  • If no device is available, follow your organization's fallback procedure.

Multiple reset requests from the same employee

If the same employee makes repeated reset requests in a short period, this may indicate:

  • A legitimate issue (e.g., a new device that keeps failing to sync).
  • A potential security concern.

Flag repeated requests for review by your security team, even if each individual verification succeeds.

Quick Reference for Agents

Step Action
1 Receive a reset request
2 Send a Polyguard trust check link to the employee
3 Monitor verification status in real time
4 Confirm the verified identity matches the employee's record
5 Complete the reset and record the session ID in the ticket

Golden rule: Never reset credentials until Polyguard verification shows Verified.

What's Next?