This question is directed primarily to Net ADMINS FOR networks that connect multiple sites, where they have little face-to-face contact with their user base:
Suppose you receive a request to reset a password from a user who claims to have forgotten his password. What procedures and policies do you have in place to ensure that the person making the request is actually the user?
— MWE
