How do you distinguish one customer from the next? When a user calls in, how do you validate the caller’s identity? Sure, it may be simple for users that you know, but not all members of your help desk know all the users in an organization.
Do you use email confirmations? What if the caller’s email account has been hijacked? What’s the biggest compromise to an organization?