IT teams live at the intersection of access and urgency. When an employee is locked out, the pressure is to get them back in fast, and the path of least resistance has always been a direct message. For Proof's IT team, that path turned out to have a significant flaw.

The security hole hidden in plain sight

The old process was familiar to anyone who has worked in IT: an employee locked out of their machine would post in the IT Slack channel requesting a password reset, and the team would help. Fast, easy, and almost entirely unverifiable. As Felicia Carnell, Director of Information Technology, put it: "In today's world of malicious actors, how do you know that the person on the other end of that is that person? That could be somebody who just has their phone that's logged into Slack." 

A misplaced device, a distracted moment, or a bad actor with access to someone's Slack account was all it would take to trigger a credential reset for an account they had no right to access. 

What looked like routine IT support was actually a low-cost attack surface.

Replacing the channel With verified identity

Proof's IT team changed the model. They integrated Identify directly into the account recovery flow via Okta, so any employee locked out of their machine, or receiving a replacement device, goes through identity verification before anything is reset or provisioned. The process checks the employee's identity against their existing Okta profile attributes, sends a secure verification link via SMS or their personal email, and completes in under two minutes. 

If someone cannot pass IDV, the request routes to a trusted referee.

Then the team took it further, in partnership with our security team. Together, they built what they now call inline IDV, embedding identity verification directly into the device enrollment flow. When a new hire logs in for the first time, or when a replacement machine ships out, the enrollment screen prompts identity verification before the process can proceed. It reads like a natural extension of onboarding rather than a security checkpoint dropped on top of it. 

Employees, including Proof's summer interns whose college addresses sometimes differ from what is on their government IDs, moved through it without friction. Felicia and the team braced for edge cases with the interns. There were none.

The ROI is the breach that doesn't happen

Felicia lived through a breach at a previous company, so her case for the ROI is blunt: "If that person was not who they said they were, the cost of a breach, the cost of something happening and the data loss that could happen, if you think of it in that regard, then it's a huge timesaver." 

The scenario she is describing does not require a sophisticated attack. "Even something as small as impersonating someone on Slack to get their laptop password changed, it can cost a company everything: dollars, manpower, all sorts of things."

According to IBM's 2025 Cost of a Data Breach Report, the average breach costs $4.44 million globally and $10.22 million in the United States. Two minutes of identity verification looks very different against that number.

What Felicia wants other IT leaders to take from it is simpler than a product pitch. Account recovery is a moment of high trust and low verification, and most teams have not reckoned with that yet. As she puts it: "If not now, then when a breach does happen, they'll realize they need this, and it’s something they should get ahead of.” 

The question is whether you build that foundation before the incident or after it.

Most IT help desks still run on good faith at account recovery. That is exactly what makes them a target. See how Proof secures account recovery >