Why Your Password Reset Process Needs a Bouncer: The Rise of Identity Verification

Lets set the scene… A hacker calls your help desk, uses AI to perfectly mimic your CFO's voice, and convinces someone to reset their password. Five minutes later, your company's financial data is walking out the digital door. Sound like science fiction? It's actually Monday morning for cybersecurity teams around the world.

The Social Engineering Problem We Can't Educate Away

Here's the uncomfortable truth: while cybersecurity tools have gotten incredibly sophisticated, hackers have simply changed tactics. They're no longer just trying to brute-force their way through your firewall, they're calling your service desk and asking nicely for access.

With deepfake video and voice cloning technology becoming accessible to anyone with an internet connection, the old "trust but verify" approach is looking pretty shaky. And yes, before you say it, we know education is important. But let's be real: not everyone who uses a computer for work actually wants to use a computer for work. We can't education our way out of this problem alone.

Enter the Bouncer: Identity Verification (IDV)

Think of Identity Verification as the bouncer at an exclusive club, except instead of checking if you're on the list, they're checking your government-issued ID and making sure the face matches. You've probably encountered IDV before:

• Setting up your myGov account with myID
• Applying for a job that required a police check
• Seeing that little verified badge next to someone's name on social media

The concept is simple: prove you are who you say you are using official documentation, not just something you know (password) or something you have (phone for MFA).

The Qantas Wake-Up Call

Remember the Qantas Frequent Flyer breach that exposed millions of Australians' data? That breach happened because someone called up, impersonated a manager using voice cloning technology, and waltzed right through the security checkpoints. Yes, better processes might have prevented it. But humans are humans, we make mistakes, we have off days, and sometimes we just want to be helpful.

That's where technology comes in as the safety net. By embedding IDV into account reset and recovery workflows, you create a barrier that social engineering simply can't bypass. No matter how convincing the fake voice is, if they can't produce a government-issued ID and matching face, they're not getting in.

How It Actually Works

Most large organisations already use Identity and Access Management (IAM) solutions like Entra ID, Okta, or Ping ID. The good news? There's a growing list of ID verification providers (like Onfido, Persona, and Trulioo) that integrate seamlessly with these platforms.

The workflow is straightforward:

1. User requests a password reset or MFA authenticator change
2. System triggers an ID verification requirement
3. User scans their government ID and takes a selfie
4. AI validates the match
5. Only then does the system allow the change to proceed

Your service desk is off the hook, the pressure is removed from individual judgment calls, and your security posture just got significantly stronger.

For My Fellow Australians: The myID Game-Changer

Here's something exciting for organisations in Australia: the Australian Government Digital ID System (AGDIS) is making myID available for identity verification purposes. If you're a commonwealth, state, or territory entity, you can use it right now. Private sector organisations will get access from December 2026.

Why is this a big deal? Over 15 million Australians have already set up myID, which requires verification of government-issued identities by the actual source that issues them. And unlike commercial IDV solutions, it's free.

The Catches (Because There Are Always Catches)

Before you rush to implement AGDIS, consider these requirements:

• You need to apply and be approved to start testing
• There's a testing process to ensure your IAM platform meets their standards, which may conflict with other requirements
• You're subject to ongoing audits (so you'll need operational capacity for compliance)
• Users with only one form of Australian ID (like international students with just a visa) only achieve 'Basic' strength level in myID, which isn't acceptable for account recovery as Basic only requires you to enter your personal details. You need users with 'Standard' strength (requires two forms of ID) for proper security

It's a fantastic service if your user base is primarily Australian and you have the resources to manage the compliance requirements. Universities would significantly benefit from IDV services as they typically have a lot of very valuable intellectual property and personally identifiable information records. Unfortunately, most universities don’t invest heavily in IT and therefore budgets are low, meaning AGDIS would be an attractive option if they could validate against international students.

The Bottom Line

We can implement all the contract management processes and staff training in the world, but at the end of the day, we're all human. We make mistakes. We get tired. We want to be helpful. That's why we need technology as the backstop.

Identity Verification isn't just another security checkbox; it's the bouncer that makes sure only the right people get access to the sensitive data of your digital infrastructure. And in a world where AI can make anyone look and sound like anyone else, that bouncer just became essential.

Ready to add a bouncer to your account recovery process? Let's talk about how IDV can fit into your security strategy and which solution makes sense for your organisation.