I'm used to seeing "unsecured" under the name of the customer, depending on how they opened and replied to the ticket.
I don't think a confirmation link works in the end. If we're looking for security, spoofed email is too easy to do.
This is what we were working towards at another company :
Customized security questions. Staff can't see the answers. Can only input what the customer provides and the system says "yes, accepted" or "nope". Whitespaces and capitals were removed to avoid weird scenarios, but that's done in the backend.
So in trying to keep this simple:
- Customer opens via email : ask security questions, support pin, whatever. A confirmation link is not good enough
- Customer opens via Blesta, but no 2FA : same thing as above
- Customer opens via Blesta with 2FA : party!
If you want really tight integration, the whole staff inputs pin in a box could be done in the ticket itself to save some clicks. Once it's entered, the ticket becomes "secured" and no one needs to ask for it again