I work at a large finnish ISP. We employ a very simple method to avoid problems with impostors trying to reset account passwords and the like, we do not, under any circumstances, reset the password on the customer's behalf. The customer has to do it him/herself. In theory, we are not forbidden from resetting a password, but we are (under penalty of immediate termination) forbidden from giving up the new password to anyone via any form of communication. The customer has to do the resetting him/herself via the account management page.
If the customer has forgotten the credentials to the account management page, he can get into it using his standard 2-factor online banking authentication (in Finland, ALL banks are part of this system and many public and large private services utilise the provided auth API for authorisation), Yes, we understand older clients might find this inconvenient, but no amount of yelling and screaming is going to make any of our reps divulge a password directly. If the customer can't find the account management page or navigate it, we an offer a remote desktop connection to caller's computer and help them with that, but the caller still has to authenticate, we just show them what links to click and where.