Authentication – Are You Who You Claim to Be?
In the wake of large data breaches and a consistent rise in digital security threats, organizations are taking more steps to protect their customers. How are they doing this? Most organizations use some form of authentication to prevent unauthorized access to customer information.
What is Authentication?
Authentication is a systematic or manual evaluation used to determine if you are who you say they are. Authentication answers the question, “How can you prove your identity?” Authentication has evolved over the years and can be sectioned into five areas: Knowledge Data, Accessible Information, Physical Characteristics, Contextual Data and Intelligent Authentication.
Knowledge Data: Authenticators that you know such as a password, PIN, security question answer such as your mother’s maiden name.
Accessible Information: Authenticators that are generated by a device such as the Google Authenticator or hardware devices that produce random codes unique to the owner of the device.
Physical Characteristics: Authentication produced through biometric analysis such as voice patterns, fingerprints and retinal scans.
Contextual Data: Contextual Data is an authentication practice reducing the customer effort by identifying through their normal routine. This includes time of interaction, location, device, phone numbers or networks.
Intelligent Authentication (I.A.): The most recent evolution in early stages of development. High risk industries in Europe are the early adopters of I.A. Intelligent Authentication is an extension of biometrics that learns behaviors and studies them constantly while you interact with an organization. Examples of Intelligent Authentication include keystrokes, mouse or key holding patterns, touch points, swiping style, speaking string and signature patterns.
Benefits and Best Practices in the Contact Center
The best way to reduce risk of fraud and identity hacking is to require a multi-factor process. Multi-factor authentication requires more than one type of authentication before access is granted to systems or data. One example is using Knowledgeable Data and Accessible Information, requiring a password and a generated code, before obtaining data. Asking for two Knowledgeable Data Authentications, such as a password and a PIN, would not be considered multi-factor because the authentication is within the same category.
Consider the goals of each department (Customer Experience, Sales, Marketing, IT, Security, etc.) when evaluating the authentication process. Contact centers could benefit from developing a confidence scoring process. If a customer authenticates within the IVR using their phone number (contextual data authentication) and the last four digits of their social security number (knowledgeable data) then you might calculate a score of 20 (theoretical score). In a financial institution, a score of 20 might allow the customer to make a loan payment but a higher score is required to transfer money. Transactions can also be approved based on a tiered score such as withdrawals between $1 and $100 require a score of 50 while withdrawals over $100 require a higher score.
Once your authentication guidelines are in place, remember to set up a review protocol. Security risks change often and a standard periodic review is necessary to maintain security for your customers. Always seek guidance from your IT Security team and other industry professionals before making authentication decisions.
Unsure if your contact center is following authentication best practices? Give our Customer Care team a call to help.