The most effective help desk attacks don’t exploit software vulnerabilities. They exploit a process gap: the user on the line who can’t produce a registered authenticator. A contractor on day one. A partner calling in to reset access. These users have always existed at the edge of identity verification coverage, and attackers have systematically targeted them.
For government agencies, financial services, and other high-assurance organizations, that’s an unacceptable risk.
The latest update to RSA Help Desk Live Verify closes that gap.
The original RSA Help Desk Live Verify release addressed one of the most dangerous attack surfaces in enterprise security: the help desk call. Social engineering, MFA bypass attacks, and technical support scams targeting IT help desks have cost organizations hundreds of millions of dollars in losses and fines. The initial release of RSA Help Desk Live Verify addressed these risks with a patent-pending bi-directional verification model that could confirm both the user’s and the agent’s identities without either side sharing a PIN, password, or personal detail.
But it required users to have a registered RSA authenticator. That left a category of users entirely outside the protection model: contractors without a provisioned device, employees whose authenticator device was lost or stolen, temporary workers, and external partners. For these users, organizations had to resort to older approaches, including asking security questions, reading back account details, or skipping verification entirely.
Before going into what’s new to RSA Help Desk Live Verify, it helps to understand the underlying mechanism:
- When a user contacts the help desk, the agent initiates a RSA Help Desk Live Verify session, directing the user to a company-owned website
- There, the user is offered a range of passwordless verification options (including passkeys). These options result from the organization’s adaptive access policies and the user’s real-time risk signals
- The user verifies their identity using the most convenient option available to them
- Upon successful verification, the user receives a verification code that they provide to the help desk agent
- The help desk agent then enters the code into the admin console, verifying the user, and continues to assist with the request
Neither side speaks a credential or provides personal information. Importantly, the verification is bi-directional by design—the process also confirms the agent’s identity to the user, eliminating the classic ‘I’m from your help desk—let’s reset your password’ style of attack.
Access to sensitive or restricted apps and resources automatically triggers stronger authentication—based on who’s asking, where they are, and what they’re accessing. Step-up authentication is automatically applied when user context and behavior indicate risk.
Organizations can also layer on RSA® Mobile Lock and RSA® Risk AI to make RSA Help Desk Live Verify even better. Mobile Lock monitors the mobile authentication environment and can block verification requests if the device shows signs of compromise—trojans, screen-sharing malware, or other indicators that the authentication flow is being observed or intercepted. Risk AI dynamically assesses the user’s behavior and risk signals, automating step-up authentication challenges if warranted.
RSA Help Desk Live Verify introduces a parallel verification path for users who don’t have access to a registered authenticator, powered by ID Dataweb. Instead of authenticating with an RSA authenticator, these users go through an ID Verification flow: they submit a government-issued credential—a driver’s license, passport, or other ID—which is checked against authoritative identity data sources in real time. The agent sees the verification result in the same admin console interface. No credential is shared aloud. The bi-directional assurance model still applies.
The verification flow can be controlled through RSA’s adaptive access policies. Administrators can configure which user populations are routed to authenticator-based verification versus ID Verification and can incorporate Identity Confidence with Risk AI to add contextual risk signals to the decision. A high-risk request—for instance, a user logging in from an unusual location, during off hours, requesting certain workflows, or showing other behavioral anomaly—can trigger a stricter verification path.
The RSA Help Desk Live Verify update was designed to cover any sensitive workflow, not just help desk calls. The same verification engine that protects a credential reset can protect a wire transfer authorization, a privilege escalation request, a VPN recovery workflow, or an HR action involving sensitive employee data. In financial services, this matters for real-time payment authorization and high-value transaction approval, where identity assurance requirements are regulatory, not optional. In government and defense, it addresses requirements for identity verification at access boundaries that extend to contractors and partners who may never be issued an agency-managed authenticator.
The practical impact is straightforward: any workflow where an organization needs to confirm who they’re dealing with before taking a sensitive action can now use RSA Help Desk Live Verify, for any user in their extended workforce.
From a deployment standpoint, RSA Help Desk Live Verify is an add-on to existing RSA ID Plus environments. There are no changes to existing deployments. Organizations that already use RSA Help Desk Live Verify can extend coverage to users without authenticators by enabling the ID Verification add-on through ID Dataweb. Administrators configure which workflows and user populations can use ID Verification through the same policy framework used for the rest of the RSA® ID Plus environment.
For security teams evaluating coverage, the key question to ask about any RSA Help Desk Live Verify deployment is: what happens when a user doesn’t have access to their authenticator? Before this latest update, the honest answer for most organizations was that verification broke down. With ID Verification in place, that scenario routes to a structured, auditable, phishing-resistant verification flow instead. Every verification interaction—whether through an authenticator or government ID—is logged and available for audit and compliance reporting.
RSA Help Desk Live Verify addresses a specific set of environments and use cases. It is most relevant for:
- Organizations with extended workforces. If contractors, partners, or temporary workers interact with your help desk or are involved in sensitive workflows, they have historically represented a verification gap. RSA Help Desk Live Verify is built for this.
- Financial institutions. Wire transfer authorization, real-time payment approval, and account access requests all involve sensitive interactions where identity assurance directly reduces fraud exposure.
- Government and high-assurance environments. Agencies and contractors operating in environments with strict identity assurance requirements benefit from a verification model that works for users across the full identity boundary, not just those with government-managed devices.
- Any organization using RSA Help Desk Live Verify today. If you have already deployed RSA Help Desk Live Verify for authenticator-equipped users, this release lets you extend the same protection to the users currently outside that coverage—without changing your existing configuration.
RSA Help Desk Live Verify with ID Verification enters Private Preview as part of the June 2026 release, with general availability planned for late summer 2026. Private Preview is available now in select regions, with broader rollout through mid-June. Organizations must enable ID Verification to integrate the updated workflow into their RSA ID Plus environment.
If your organization has contractors, partners, or employees without a registered authenticator—and you want to close the verification gap before GA—Private Preview is open now. Contact your RSA Account Manager to get your environment enabled.
If you’re not yet an RSA customer, request a demo to see RSA Help Desk Live Verify in action.
