220-1102 Practice Question: A help desk technician receives a call from a…

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

Answer analysis

Why the other options are wrong

Understanding why incorrect options are tempting is as important as knowing the correct answer.

• ✗

  Ask the user for their previous password

  The previous password is not a reliable verification method and should not be shared.

• ✗

  Escalate the issue to a supervisor

  Escalation is not necessary; the technician should follow standard identity verification procedures.

• ✗

  Reset the password and provide the new password to the user

  Proceeding with reset without additional verification risks unauthorized access.

Technical deep dive

How to think about this question

When a user requests a password reset, verifying their identity is paramount to prevent unauthorized access. The initial step of asking for an employee ID and date of birth serves as a knowledge-based factor, confirming something the user *knows*. However, this information, while personal, can sometimes be compromised through various means, including social engineering or data breaches. Relying solely on these details for a high-privilege action like a password reset introduces a significant security vulnerability. Best practices dictate the implementation of multi-factor verification (MFV) for such sensitive operations. The next logical step, therefore, is to introduce a second, independent factor to confirm the user's identity. This second factor should ideally be something the user *has* or *is*, making it much harder for an impostor to provide. Common methods include sending a one-time passcode (OTP) via SMS to a pre-registered mobile device, sending a verification link or code to the user's corporate email address (which should be distinct from the account being reset), or requiring a confirmation through an authenticator application. The user would then provide this code or confirm the action, proving they have access to a trusted, registered device or account. This process significantly mitigates the risk of social engineering attacks, where an attacker might have acquired basic PII but lacks access to the user's secondary verification channel. Proceeding directly to a reset (Option A) without this additional verification is a major security lapse. Asking for a previous password (Option C) is not a secure verification method and could expose sensitive information. Escalating to a supervisor (Option D) is unnecessary at this stage, as the technician has a clear, secure procedure to follow.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

FAQ

Questions learners often ask

Keep practising

More 220-1102 practice questions

• →A change advisory board (CAB) approved a standard change to update antivirus definitions on all servers. The technician…
• →A company's change management policy requires all server changes to be approved by the Change Advisory Board (CAB). A te…
• →A company is implementing a bring-your-own-device (BYOD) policy and needs to ensure that corporate data on employee mobi…
• →A company requires employees to present both a smart card and a PIN to log into their workstations. Which authentication…
• →A company requires all Windows 10 workstations to be able to join an Active Directory domain. Which edition of Windows 1…
• →A company wants to allow employees to securely access internal resources from home via the internet. Which method provid…