Introduction – the weakest link in account recovery

Password resets have long been a back door for account takeover.  Attackers know that help-desk staff can be tricked and that most “self-service password reset” (SSPR) systems were designed for convenience, not for security.  In an era of generative AI, deepfakes and voice cloning, criminals can convincingly impersonate customers or employees and bypass traditional multi-factor authentication (MFA).  The result is a surge in social-engineering campaigns and growing financial losses from account takeover fraud.  Legacy SSPR platforms make this problem worse by forcing users to pre-register specific authentication methods and by relying on authenticator apps and one-time codes, methods that attackers have learned to subvert.

Trusona proposes a very different solution.  Instead of asking users to register extra factors, it verifies a person’s identity at the moment of recovery by scanning a government-issued ID, matching the data against authoritative sources, checking the document’s integrity and verifying device signals.  This “identity proofing” happens in real time and does not require a separate app.  The approach stops attackers because it is easier to trick a help-desk agent than to pass a high-assurance document authenticity test.  Trusona calls this capability Identity Impersonation Detection.  It is a set of technologies that confirm that a person is who they claim to be and simultaneously detect forged credentials, synthetic identities and deepfakes.

The following sections explore why identity verification is essential for password resets, how legacy SSPR solutions fall short, and how Trusona’s ATO Protect API brings identity impersonation detection to self-service password reset flows without requiring any code changes or pre-registration.

 

The shortcomings of legacy SSPR – friction and weak verification

Legacy SSPR solutions are tied to traditional identity architectures.  To use these services, users must first register at least one authentication method and often more.  Administrators are encouraged to require multiple methods so that users can fall back to another factor if one is unavailable.  The platforms support a narrow set of methods: phone calls, SMS codes, email one-time passwords and authenticator applications.  Importantly, policy rules do not allow the mobile authenticator to be the only method; when one method is required, the authenticator app must be paired with another factor, and when two methods are required, the app must be paired with two additional factors.

These requirements create friction for end users.  They must enroll in at least one second factor before they can perform a password reset; if they forget to register or lose access to their registered methods, they are locked out until an administrator intervenes.  The dependence on authenticator apps adds further complexity, since users must install and maintain a specific app and, in some cases, use multiple devices.  Friction leads to lower adoption of SSPR and encourages dangerous workarounds, such as sharing passwords or bypassing corporate policies.  Meanwhile, social-engineering groups such as Scattered Spider exploit these processes by targeting help-desk staff.  Attackers impersonate employees, claim that their phone or number has changed and persuade agents to reset MFA devices or send reset links to an attacker-controlled account.  Once an attacker registers their own authentication method, they can reset passwords without resistance.

Put simply, the old way of resetting passwords is both clunky and risky.  It assumes that signing up a second factor means the person is legit.  Attackers know that the weakest link isn’t the cryptography but the human element: convincing a support representative to override the process or sending a fraudulent request through a self-service portal that treats registered factors as trustworthy.

 

Why identity verification and impersonation detection matter

When deepfakes and AI-generated voices can mimic a person with uncanny accuracy, verifying identity requires more than knowledge-based questions or one-time passwords.  Trusona’s research highlights how modern attacks bypass MFA and exploit help-desk processes.  Attackers gather personal data from social media and previous breaches, then call the support desk pretending to be the user.  They ask to remove existing MFA methods or to enroll new devices, using urgency and social engineering tactics to get past well-meaning agents.  In 70 % of SaaS breaches analyzed by Obsidian Security, attackers were able to subvert MFA.

The way to beat these tricks is to ask for real proof before doing anything sensitive.  That means asking for a government-issued ID, making sure the document is genuine and matching it against official data.  Behind the scenes the system also looks at the device itself, creating a clean audit trail.  Trusona’s blog on Scattered Spider notes that secure identity proofing requires a user to scan a government ID and prove possession of the original device or registered token.  By combining document authenticity checks with device-binding, the process makes it harder for attackers to impersonate someone using stolen data.  Help-desk agents are removed from the verification loop; the system automatically approves or denies the reset, preventing social-engineering tactics.

By focusing on identity verification rather than simply authenticating devices, organizations can drastically reduce account takeover incidents.  Verifying identity also generates a detailed record of who requested the reset and when, which helps with compliance and forensic analysis.  This is the foundation of Trusona’s Identity Impersonation Detection: proactively detecting when an identity claim is false, rather than assuming that possession of a factor (such as an authenticator app) is sufficient.

 

Trusona’s ATO Protect API – how it works

With ATO Protect, that forgotten-password link looks very different.  Instead of being whisked to a page asking for pet names and codes, users get a secure link where they scan their government-issued ID.  Behind the scenes, the API checks that the document hasn’t been tampered with and compares it to authoritative data, then looks at how the device is behaving to stop man-in-the-middle attacks.  If everything lines up, the system resets the password without any pre-registered methods required.

The UConn case study illustrates the impact.  The University of Connecticut’s Technology Support Center integrated the ATO Protect API into its NetID password recovery process.  Instead of waiting for help-desk staff, students and alumni skip the ticketing queue and recover their accounts by using their government ID.  The custom user experience allows them to reset passwords in under a minute and ensures that only the legitimate user can regain access.  The university significantly reduced help-desk workload and strengthened security because the reset is self-service yet backed by robust identity proofing.

 

Identity Impersonation Detection in action

Identity Impersonation Detection isn’t just about scanning an ID; it is about detecting when someone is not who they say they are.  Trusona applies this concept across multiple use cases:

Hiring and HR: Attackers exploit HR processes by submitting fake applications or impersonating employees.  Trusona’s ATO Protect for HR adds an identity verification layer during onboarding and access provisioning.  It verifies that the person is who they claim to be and that they aren’t using forged credentials, synthetic identities or impersonating someone else.  This stops “ghost employees” from entering the organization and catches fraudulent documents.

Customer support: Fraudsters frequently impersonate customers to reset passwords or recover accounts.  ATO Protect verifies the customer’s identity directly with authoritative records before an agent acts.  This prevents help-desk staff from being tricked and ensures that only legitimate users receive support.

IT helpdesk and account recovery: For internal password resets, the solution performs a real-time identity verification scan, requesting the user to corroborate their identity, validating the data against account records and checking the device’s behavior.  It also detects man-in-the-middle attacks and deepfake attempts, stopping fraudsters before they can gain access.

These capabilities combine to create a new layer of defense.  By verifying the authenticity of the person and checking for behavioral anomalies, Trusona’s platform can detect impersonation and block the reset.  The process is completely automated, so help-desk agents are not making judgement calls.

 

No pre-registration or authenticator app required

One of the most significant benefits of Trusona’s SSPR approach is that it eliminates user pre-registration.  Users do not need to enroll multiple authentication methods ahead of time, which is often a barrier in legacy systems.  Instead, identity proofing happens when the user needs it.  This has two advantages:

Lower friction for end users – Users don’t need to manage separate authentication apps or remember security questions.  They simply scan their ID through a secure link to prove who they are.  The UConn case study showed that users could recover access within a minute.

No dependency on an authenticator app – Legacy SSPR policies prevent using the authenticator app as the sole method and force users to register additional factors.  Trusona’s solution does not require any additional app at all; it uses web-based identity verification.  This is particularly valuable for organizations whose users may not have smartphones or who are reluctant to install corporate apps on personal devices.

 

Seamless integration and zero-code deployment

Trusona designed its platform to integrate with existing identity and access management (IAM) systems via configuration rather than code.  The ATO Protect solution is a no-code change for call-center operations and a low-code integration for digital channels.  It can be deployed without changing the underlying applications, making it ideal for organizations that use managed IAM platforms.  The API leverages open standards (such as OpenID Connect) to integrate with widely used identity directories.

Beyond digital channels, the platform provides a no-integration solution that scans documents from around the world and employs device intelligence and man-in-the-middle detection.  This means that even call-center agents can initiate identity verification flows by sending a link; no development work or system integration is required.  For HR and customer-support use cases, the same identity-verification capabilities can be invoked through the ATO Protect Express API, which weeds out fraudulent applications without requiring integration work.

 

The UConn experience – a case study in modernizing password resets

The University of Connecticut (UConn) offers a clear example of the benefits of adopting identity verification for SSPR.  Before deploying ATO Protect, password resets were one of UConn’s most time-consuming help-desk tasks.  After integrating the API, students, staff and alumni skip the help-desk queue and use their government ID to recover accounts.  Within a minute, they reset their password and regain access.

This approach improves both security and efficiency.  Because identity proofing is required, attackers cannot impersonate students by answering security questions or re-registering their MFA devices.  Meanwhile, help-desk staff are freed to focus on complex issues.  UConn’s experience illustrates that identity verification can deliver a superior user experience while reducing operational costs.

 

Comparative snapshot

Below is a high-level comparison of legacy SSPR practices and Trusona’s ATO Protect approach.  The table uses short phrases to highlight the contrasts; details are elaborated in the prose above.

Feature Legacy SSPR (traditional implementations) ATO Protect with identity verification
Requires user pre-registration of multiple factors? Yes – users must register at least one method, and often two, before they can reset their password No – identity proofing happens at reset time; users scan a government ID and confirm their identity through a secure link.
Allows authenticator app as sole method? No – policies forbid using the authenticator app alone and require additional factors Yes – no mobile app is required; the platform uses a web-based identity verification flow.
Verification type Assumes possession of registered factors; relies on knowledge-based questions, SMS codes and authenticator push notifications Government ID scanning, document and device checks, authoritative data lookup and device intelligence.
Security posture against impersonation Vulnerable to social-engineering and MFA fatigue attacks Identity Impersonation Detection actively verifies authenticity and detects forged or synthetic identities.
Integration complexity Requires configuring policies and often writing scripts or code No-code for call centers and low-code for digital channels; no-integration option for scanning documents worldwide.

 

 

Conclusion – identity verification as the new default

Deepfakes and AI-powered scams have shown just how flimsy those old password reset systems really are.  Registering a bunch of factors or making everyone install an authenticator app won’t save you when an attacker can mimic your voice.  The only way to beat them is to check the person, not the gadget.  Trusona’s ATO Protect API flips the script: password resets become about who you are.  It confirms the person with a government-issued ID and official data, skips the pre-registration hassle and plugs into existing identity systems without writing a line of code.

By putting Identity Impersonation Detection at the heart of the process, Trusona raises the bar.  Legitimate users sail through, while scammers hit a wall.  UConn’s story shows what happens when you put identity first: fewer help-desk tickets, stronger security and happier users.  With trust so easy to fake today, checking who’s behind a reset request should be the norm.

 

Audited. Verified. SOC2 Certified

ATO Protect Demo Request