Password Reset Procedure

Assisted Reset Path (Helpdesk Agent)

Identity Verification (REQUIRED before any reset)

• Verify {{ user_name }}'s identity using at least two of the following:
  • Employee ID number
  • Date of birth
  • Manager's name
  • Last four digits of phone number on file
  • Security questions (if configured)
  • Video call identity verification (for high-security systems)

Password Reset Execution

• Access admin console for {{ system_name }}
• Locate {{ user_name }}'s account
• Generate temporary password (minimum 16 characters, random)
• Set "must change password at next login" flag
• Deliver temporary password via secure channel (NOT email):
  • Preferred: in-person, phone call, or secure messaging
  • Never: email, Slack DM, or unencrypted channel
• Verify {{ user_name }} successfully logs in with temporary password
• Confirm {{ user_name }} has set a new permanent password

Account Lockout Resolution

• Check lockout reason in AD/IdP audit logs
• If excessive failed attempts: unlock account and advise user
• If suspicious activity detected: escalate to security team before unlocking
• Clear lockout counter
• Monitor for repeated lockouts (may indicate compromised credentials)

MFA Recovery

• Verify identity with enhanced verification (manager confirmation required)
• Remove existing MFA enrollment from {{ user_name }}'s account
• Generate new MFA enrollment invitation
• Guide {{ user_name }} through MFA re-enrollment
• Verify MFA is working with test login
• Remind user to save backup codes securely

Password Policy Reference

MINIMUM REQUIREMENTS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Length:          12+ characters (16+ recommended)
Complexity:     Upper + lower + number + special character
History:        Cannot reuse last 12 passwords
Max Age:        90 days (or per organizational policy)
Lockout:        5 failed attempts = 15-minute lockout

Post-Reset Actions

• Document reset in ITSM ticket with verification method used
• Advise {{ user_name }} to update saved passwords in password manager
• If password was potentially compromised: force reset on all linked systems
• Close ticket

Counter-Rationalizations

Output Format

Generate a reset summary with:

1. User and system details
2. Verification method used
3. Reset actions taken with timestamps
4. Follow-up items if any