MGM Post Mortem Best Practices: How does your org verify a user's identity if they call helpdesk for password resets?

Friendly sysadmin here...I'm asking for some ideas for ways to verify the ID of a user who may call into helpdesk for a password reset/account unlock. Being that it took a simple call to MGM's helpdesk to bring down their entire org, I thought it would be a great idea to open up a forum to share some best practices and clever ways to verify an user's true identity.

My org was brainstorming on this, but the best we could …

account asking best practices call cybersecurity down helpdesk ideas identity may mgm org password password reset post mortem practices reset simple sysadmin unlock verify