PINDROP BLOG

Cancel The Questions! Rethinking Authentication To Balance Service & Security

There are many ways to complete call authentication, but the process typically involves using information (“factors”) from one or more of the following categories:

In theory, something you know, something you have, and something you are could be combined to confirm that a person is who they say that they are. Ideally, only you should know your favorite pet’s name, your phone should be within arm’s reach, and your voice is unique to you. But in reality, each of these categories are not created equal. To the extent that a factor can be compromised, authentication may become ineffective, inefficient, or frustrating.

Some factors of authentication can also be Active or Passive. Active Authentication is the process of authenticating calls by requiring callers and/or agents to actively participate in authentication. Passive Authentication is the process of authenticating calls without any interaction with the caller or required actions by the agent or the caller. 

Let’s review how each category of authentication could impact security and customer experience.

Something you know

‘Something you know’ is perhaps the most common form of authentication used. Passwords, PINs, Member IDs, account numbers, and security questions are considered Knowledge-Based Authentication (“KBA”). KBAs can be Dynamic or Static. Dynamic KBA is the use of publicly available information to verify identity and the questions are updated as your public information changes. Static KBA is the use of questions with presumably unique answers that should be specific to you. 

Security

Data breaches and wide scale social engineering like phishing and vishing have exposed the personal information of hundreds of millions of Americans to fraudsters. As a result, ‘something you know’ is quickly becoming just ‘something you know, too’.  What’s more, research from Gartner suggests that more than half of the time, fraudsters are able to supply the right answer to a KBA question. 

The Customer Experience

The answers we provide to security questions are like great hiding spots; they can be so good that we forget them! Pindrop internal data places the percentage of callers who forget the answer at 20%-40%. If you provided the answers to your security questions years ago, do you still have the same favorite food today? Did you write New York City as ‘New York’ or ‘NYC’? Do we really have just one favorite pet? 

There may be a tendency to submit clever or less-than-obvious answers to security questions in part because we understand that they are really just another form of a password. Thus, the customer faces a dilemma: potentially compromise their protection in favor of an answer that’s easier to remember, or complicate the answer knowing that doing so might frustrate their own experience later on. Making customers responsible for this choice is just one of the issues with using security questions. Other forms of ‘something you know’, like passwords or account numbers face the same challenge; customers are apt to forget the information and be forced into another form of authentication anyway. In the end, ‘something you know, too’  might be better described as ‘something you might know’.  

Businesses should not rely on ‘something you know’ factors as a means of efficient or effective authentication, given how readily available the information is for fraudsters online, how frequently customers fail the requirement, and the time and related frustration needed to complete the process. A ‘something you know’ strategy is unlikely to provide sufficient security or customer experience, much less a balance of the two.

Something you have

‘Something you have’ involves using a physical possession to authenticate a caller. This can include a cell phone or key fob. As a factor of authentication, providing ‘something you have’ can be either active or passive.  

Security

Technology has made it more challenging for a business to determine when a caller actually has something in their possession that only they should have. Commonly, that ‘something you have’ is a device, like a cell phone. In the past, when an individual called a business from a device, the business could simply use the phone number displayed on the caller ID to search their database for a match with a customer account. With a match, at least one factor of authentication could be completed instantly and passively to the benefit of both parties. This process is called ANI matching, and 42% of contact centers rely on it to authenticate. But today, the rise of call spoofing has undermined this otherwise efficient and customer-friendly strategy. Spoofing allows a caller to change the number shown on the caller ID. Without the ability to detect spoofing, a business using ANI match runs the risk of matching a spoofed number to a customer’s record, and rolling out the red-carpet to a fraudster posing as a customer. The fraudster gains an advantage having automatically cleared at least one factor of authentication before ever reaching an agent. This fraud risk is heightened if the fraudster does not need an agent at all to complete their scheme. Thus, ANI matching implementations are inherently compromised without ANI Validation. 

Customer Experience

Asking customers to participate in their own authentication adds points of failure, which can add friction to their experience. Using the cell phone as an example, ‘something you have’ is not always ‘something you have handy’.  How do we safely access a key fob while driving? How do we find our account number online or in an email if we have a bad internet connection or we are already using our phone for the call? If the ‘something you have’ isn’t easily accessible, the remaining authentication requirements prolong the process and amplify frustration. In some ways, if the ‘something you have’ still requires a caller to actively participate, the impact is quite similar to ‘something you know’

However, ‘something you have’ can be passive (e.g. ANI match supported by ANI Validation). When passive, a business can authenticate the something in question behind the scenes to reduce or eliminate the burden on the caller. Passive methods can facilitate the seamless experience that customers have become accustomed to in other channels, where providing information digitally can be automated in ways that are less clunky than providing information out loud. The passive approach can also help lower average handle time, cost per call, and the number of calls that require agents, all of which are important performance metrics for contact centers.

While active authentication of ‘something you have’ can be effective in some scenarios, passive techniques can also be effective, but can be faster, more cost effective, and more customer-friendly.

Something you are

‘Something you are’ uses a person’s unique attributes as a means of authentication. Good examples are your voice, your speech or behavior patterns, or your fingerprints. ‘Something you are’ is the most convenient form of authentication because a person is never without it. 

Security

Unlike the other factors of authentication, ‘Something you are’ does not rely on the knowledge to answer secrets or questions. It does not require access to or possession of a device. ‘Something you are’ is more secure because there are fewer ways for the information to be missing or compromised. 

Customer Experience

‘Something you are’ can contribute to a good customer experience because there are fewer points of failure. It doesn’t rely on a caller’s memory or on a possession that may not be accessible. There is also no wasted time on security questions or passcodes because the entire process takes place passively as the caller engages in conversation with the IVR or agent. 

‘Something you are’ authentication methods are highly accurate and sophisticated and can be an ideal long-term choice for businesses that aim to fully automate a multi-factor authentication process. Particularly for businesses that deal in sensitive information or process high fraud risk transactions, ‘something you are’ authentication offers a one-stop-shop to help secure interactions while also limiting the number of active steps for customers to complete. ‘Something you are’ authentication can also be bolstered with other layers of protection that utilize data and machine learning to assist in the authentication process. 

Conclusion

The ultimate goal of authentication is to establish more secure interactions with customers. But, if what is required for that security ends up making customers feel like criminals, we may end up inadvertently discharging one issue only to incur another. While finding the right balance of service and security can be tricky, beginning with a ‘something you have’ approach (like, ANI Match + ANI Validation) can be a fast first step toward benefiting a greater number of customers. 

As a starting point, passive ‘something you have’ authentication can restore trust in the number calling and provide a better experience for customers through:

  • Personalization. This can include greeting the caller by name (in the IVR or at the agent level), and pre-populating account details instead of asking the caller to spell or repeat information. Personalization helps customers feel valued and contributes to long term brand spending and loyalty.
  • Prediction. From pending orders to known account issues, from regular callers to those with recent requests, the ability to anticipate why someone is calling and meet the customer “where they are” can be a differentiator for businesses competing to provide superior service. Particularly in the IVR, suggesting menu options upfront, bypassing them entirely, or providing relevant messages automatically can replicate the flexibility and features over the phone that customers enjoy online.
  • Risk management. Identifying risks early in the call process helps to optimize security resources and can allow agents to focus on providing superior service.

The passive capabilities within this process can also work to lower handle time and cost per call, which can generate the return on investment needed to fund future investment for layering in a more comprehensive ‘something you are’ strategy.