I am currently investigating how we can improve our password reset process. At this point in time the process is sadly lacking in terms of validation of the person making the request for the password reset. I would like your opinions on a process that works for your business. Some ideas I am exploring right now include:

Call Back.
When a user calls the support center for a password reset, it is not done while the user is waiting on the phone. The support center takes the information, fills out a ticket, resets the password and phones the user back at the users phone local.

Voice Mail.
When a user calls the support center for a password reset, it is not done while the user is waiting on the phone. The support center takes the information, fills out a ticket, resets the password and leaves a message in the users voicemail box (which is also password protected).

Secret Word/phase.
Design/buy a system which all users would enter a secret word or phrase. When a user call the support center for a password reset, the support center enters this system, looks up the user, asks them what their secret word / phrase is. If correct, the password is reset and given to the user.

Password Management System.
Purchase of a full password management system such as P-Sync or BMC Software's Control-SA/PassPort.

The major problem I have to deal with is cost, therefore the Password Management System is likely not an option.

I'd be interested to hear what system(s) works for you.
Thanks for any help

Cheers: