Re: Not just Go-Daddy
That sounds ok to me. The contact details the registrar already had on record were used to confirm the request was valid. The security flaw, if there is one here, is that your company's receptionist lies and so do you. But that's a security hole with your company, not with your registrar.
If that phone number isn't good enough for identification purposes it shouldn't have given it to the registrar in the first place. It's the same as when I phone my bank - I don't verify I'm speaking to a trusted person by any means other than dialling the right number.