Best, since this is a website based authentication: Support system has a feature where CSR can pop up a text box to enter the password in (or at least generate a link to give to the customer); password entered is checked against hashed database password, CSR gets to see whether or not the password was correct.
Failing that, customer has to give CSR the password, CSR enters it, it is checked against hashed password (CSR sees plaintext but it could be arranged that it is never stored, which is better than storing all plaintext in a database).
Failing that, customer has to give CSR the password, CSR enters it, it is checked against hashed password (CSR sees plaintext but it could be arranged that it is never stored, which is better than storing all plaintext in a database).