Skip to main content

Identity Verification

The ID Verification page (Dashboard > Verification) lets an administrator confirm that the person on the other end of a call, chat, or ticket really is the employee they claim to be. The employee reads a short numeric code out of their Surface browser extension; the administrator types it into the dashboard and gets an instant verified-or-not answer tied to a named identity.

This closes a gap that voice recognition and "security questions" no longer close: with convincing voice deepfakes and leaked personal data, knowing things about an employee is not proof of identity. Possession of the employee's enrolled browser is much stronger — and that is exactly what these codes prove.

Screenshot

[SCREENSHOT PLACEHOLDER: ID Verification page showing the Verify Daily Code / Verify One-Time Code tabs, the Step 1 user search with a selected user, and the large Step 2 code entry field]

How it works

There are two kinds of codes, both displayed only in the employee's enrolled browser extension:

Daily codes rotate automatically every 24 hours at midnight in your tenant's timezone. Each user has their own code for the day, visible in the extension popup under My Daily Code (hidden until the user taps to reveal it). The code is derived cryptographically on demand from a per-user secret — it is never stored in plaintext on the server, and yesterday's code is useless today.

One-time codes are created by the employee themselves for high-value moments. In the extension popup they click Create in the verification section, enter a Purpose / Note (for example "Approving wire transfer #4821") and an Expires In duration, and get a short numeric code. Each code is single-use and time-limited (expiry is capped at 30 minutes; the default and maximum are tenant settings), and only a strong one-way hash of it is stored server-side. When it is verified, the stored note is shown to the verifier — so the code also proves what it was created for, not just who created it.

Every verification attempt — success or failure — is written to a dedicated audit trail and can be forwarded to your SIEM. Repeated failed attempts against the same user are rate-limited (on the order of ten attempts per hour), so codes cannot be brute-forced.

Using the page

The page is a two-step form with a tab for each code type: Verify Daily Code and Verify One-Time Code.

  1. Step 1: Select User to Verify. Search by name or email and pick the person from the dropdown. For one-time codes, select the person who created the code.
  2. Step 2: Enter Code. Type the 6-8 digit code the person reads to you. The helper text reminds you which code to ask for: the daily verification code displayed in their browser extension, or their single-use one-time code.
  3. Click Verify Identity.

A successful check shows an Identity Verified panel with the verified identity's name, email, and department, the timestamp, and — for one-time codes — the Code Purpose note the employee attached. A failure shows why in plain terms: the code was incorrect, expired (the day rolled over, or the one-time code timed out), already used (one-time codes work exactly once), or attempts were rate-limited.

Click Verify Another User to reset the form for the next call.

Screenshot

[SCREENSHOT PLACEHOLDER: A successful verification result showing the green Identity Verified panel with the Verified Identity card and, on the one-time tab, the Code Purpose note]

What the employee sees

In the extension popup, the verification section shows:

  • My Daily Code — tap to reveal today's code, with a copy button.
  • The one-time code list with + Create, which opens the Create Verification Code dialog (Purpose / Note, Expires In, Create Code). The code is displayed once at creation; active codes remain listed with their note and remaining lifetime.

The extension also has its own Verify Identity flow (find a user, enter their code), so verification is not limited to dashboard administrators — an employee can check a colleague's code during a suspicious call without involving the security team.

Screenshot

[SCREENSHOT PLACEHOLDER: The browser extension popup showing the My Daily Code card (revealed) and the Create Verification Code dialog with the Purpose / Note field]

Use cases

Help-desk identity checks. Before a password reset, MFA re-enrollment, or any account change requested over the phone or chat, the agent asks: "Open your Surface extension and read me your daily code." The agent verifies it on the Verify Daily Code tab. An attacker impersonating the employee — even with a perfect voice clone and the employee's personal details — cannot produce the code without control of the employee's enrolled browser.

Incident response. During an active incident, responders often need to confirm they are talking to the real user ("did you actually just try to log in from Frankfurt?"). A daily-code check takes seconds and leaves an audit record of exactly who was verified, by whom, and when.

High-value approvals. For wire transfers, vendor banking changes, or emergency access grants, ask the requester to create a one-time code with the purpose written into the note ("Wire transfer #4821 to Acme Ltd"). The approver verifies the code on the Verify One-Time Code tab and sees the note — binding the verification to that specific transaction. Because the code is single-use, it cannot be replayed for a second request, and a REUSED result on a code is itself a red flag worth investigating.

Callback verification both ways. Employees receiving a call "from IT" can demand a code too: a real administrator or colleague can prove themselves through the extension's peer verification, defeating the classic fake-help-desk attack.

Practical notes

  • Codes only exist for users with an enrolled extension. If a user cannot be found in Step 1 or has no code to read, check their enrollment status on the Users page and their device health on the Devices page.
  • Daily codes change at midnight in the tenant timezone. A code that fails around midnight may simply be yesterday's — ask the user to reopen the popup and read the current code.
  • Codes are numeric, 6 to 8 digits, and read naturally in groups ("123 456") — easy over a phone line.
  • Write the verification requirement into your help-desk runbook. The control is only as strong as its consistent use: the goal is that no sensitive account action happens without a code check.

FAQ

Can an administrator look up a user's code and impersonate them? No. Daily codes are never stored — they are derived and checked on the fly — and one-time codes exist server-side only as one-way hashes. The dashboard can verify a code someone reads to you; it cannot display anyone's code.

What if the employee's browser is compromised? The code proves possession of the enrolled browser. If the device itself is suspected compromised, that is an incident, not an identity check — revoke the device from the Devices page and verify through a second channel.

Is there a record of verifications? Yes. Every attempt (including failures and rate-limited attempts) is logged for audit and can flow to your SIEM along with other Surface Security events.

Why does the one-time tab ask me to select the code's creator? One-time codes are looked up by who created them. Selecting the creator plus the code is what proves the request came from that person.

  • Users and Groups — enrollment status determines who has codes
  • Devices — revoke a device if a verification raises suspicion
  • Passkey Adoption — the companion program for making the logins themselves phishing-resistant