Despite the incredible leaps and bounds in the digital evolution, the phone channel is still very much a cornerstone for customers to interact with businesses. According to a Gartner’s Financial Services Operations report (December 2022), 46% of people surveyed still prefer to speak to someone on the phone in the service center.1
With customer preference for the phone channel remaining strong, the role of an Interactive Voice Response (IVR) or Interactive Virtual Agent (IVA) is paramount in providing a mechanism for authentication, self-service, and call routing.
Authenticating callers is a critical first step in the process as it opens the gate to a personalized experience, self-service capabilities, and customized routing opportunities. In order to accomplish this, organizations have an obligation to ensure that the authentication method employed provides confidence and trust that the caller actually is who they are claiming to be. A well-designed call flow, with thoughtful requirements around identification and authentication, can balance security with customer satisfaction, increase containment, and result in overall operational efficiencies.
The primary goal of any modern, robust, self-service IVR/IVA platform is to get the caller identified and authenticated as quickly as possible with the least amount of friction and the highest amount of trust. If the caller can quickly and easily authenticate, they are more likely to engage with the platform vs requesting assistance from an agent. Higher levels of trust and engagement also lead to expansion in the types of self-service transactions offered through the platform.
Choosing the appropriate authentication method is crucial as organizations must balance the needs of the contact center, regulatory requirements, the organization’s security requirements, and the customer experience. Authentication methods available for self-service IVR/IVA applications include: knowledge based authentication (KBA) questions, passwords, personal identification number (PIN), one time passcodes (OTP), biometrics, and multi-factor authentication (MFA).
Knowledge Based Authentication Questions
Knowledge based authentication (KBA) questions are the most commonly used mechanism in traditional IVR authentication as well as agent based authentication. Prompts for social security number, account number, member number, date of birth, or phone number might occur in order to identify and authenticate the caller.
KBAs are commonly used because the caller is very likely to know this information when calling into the contact center. Unfortunately, criminals also know this information, as it is widely available across the dark web as a result of phishing, social engineering, data breaches, etc.
Evidence of this assertion is supported in a recent study by Pindrop Labs in which the KBA security of four financial institutions was evaluated. Results found that fraudsters passed KBA at rates of 39%, 45%, 70%, and 83% across the four institutions. This high success rate of bad actors passing authentication processes demonstrates that fraudsters not only have a good understanding of the typical identity verification procedures used by financial institutions, they are also equipped to answer them with ease.2
- Use of KBA is a relatively low-cost and easy to implement method as it only requires the technology to validate the information provided by the caller
- Callers typically know the information and can easily provide it without much frustration or friction
- Presents a significant security risk as most of the information is easily accessible or guessed by fraudsters
- Data sources of the information on file may be inaccurate or outdated, leading to caller frustration
- Limited scale of what types of questions can be asked and answered in an automated IVR system due to limitations with or inability to perform speech recognition
- The value and use of KBA as the only form of authentication has been deprecated by the National Institute of Standards and Technology (NIST)3
Traditional alphanumeric identifiers and passwords work well for online and mobile applications. The use of this method in a traditional IVR/IVA application is not often employed as it is difficult for voice recognition to correctly interpret a caller’s utterance due to the significant amount of phonetic overlap in sounds. Think “A”, “H” and “eight”, “B”, “V” and “D”, “P”, “C” and “T”, etc.
Although this technology has come a long way over the years, solutioning for unconstrained alphanumeric sequences remains a challenge.
- Most callers are familiar with creating and remembering simple passwords
- Password-based authentication is relatively low cost and easy to implement
- Secure passwords are complex, oftentimes unable to be spoken in recognizable words
- Increased frequency of data breaches forces consumers to change passwords regularly, making them difficult to remember
- Significant degree of phonetic overlap in sounds may impact speech recognition and lead to increased frustration and friction for callers when speaking their passwords character by character
- In DTMF based applications (no speech recognition), password entry via the keypad is extremely difficult, degrading the customer experience
Personal Identification Number (PIN) is a commonly used way to authenticate a caller in self-service IVR/IVAs, specifically within the financial vertical as most accounts have a credit/debit/atm card PIN established for transactional purposes. This is implemented by simply prompting the caller to say or enter their 4 or 6 digit PIN. There are both positive and negative impacts with PIN based authentication.
- PINs are more convenient than a traditional password
- PINs are typically short and easy to remember
- PINs can be more cost effective than using other forms of authentication
- Use of PINs pose a significant security risk as they are short and limited in strength, making them easier to guess or crack
- Use of a PIN alone (single-factor authentication) is limited and may not provide sufficient security when allowing someone to gain full access to an account
- PINs are also subject to the same data breach risks as KBA and Passwords and are often sold on the dark web as a package deal for monetization by criminals4
OTP as an authentication mechanism has existed for over 40 years – think hardware token generating random codes for entry into a computer application. Over time, this evolved to sending a soft token to the email address on file.
With the explosion of the use of mobile phones, SMS-based OTP quickly gained widespread use as it required only the phone and not the hardware token. Again, the primary use case for either an SMS-based or email-based OTP was centered around digital experiences. As businesses, particularly financial institutions, take action to modernize their IVR and self-service capabilities, it has become increasingly necessary to find more secure ways of verifying the identity of callers in order to allow them to transact.
OTP is sometimes offered as an option for callers to receive an SMS-based code and then provide it to the IVR/IVA application in order to service their call.
- Enhanced security as long as the OTP is only sent to registered mobile phone numbers or email addresses
- Provides a form of fraud mitigation as the OTP is only valid for a single session, making it difficult for hackers to gain unauthorized access using the same OTP
- Response to a numeric passcode is easier than providing a complex password in an IVR/IVA application
- User experience is cumbersome as the method requires users to switch between their IVR call and their mobile phone or email application in order to retrieve the passcode which could ultimately lead to low success rates and decreased caller engagement
- Security risk posed as hackers may gain access to a caller’s email or mobile device and intercept the OTP
- The total cost of ownership can be expensive, especially if the IVR/IVA handles significant call volumes, which could outweigh the cost savings of the tool overall
Biometrics offer a unique and secure way to authenticate individuals based on their physical or behavioral characteristics. Commonly used biometric technologies include: facial recognition, voice recognition, fingerprint recognition, iris recognition and behavioral biometrics.
The use of biometric technology in IVR/IVA platforms is gradually evolving as organizations seek ways to improve security without compromising caller experience. For the self-service telephony applications that do employ the use of biometrics, voice recognition is by far the most commonly implemented of the technologies.
In order to use voice biometric technology, a caller must first enroll. This requires the caller’s voice to be analyzed to create a voiceprint or a unique representation of their voice which is securely stored. The next time this person calls into the IVR/IVA, the system captures their voice and compares it to what was previously stored on the enrollment call. If there is a match, the caller can be considered authenticated and allowed to proceed with their transaction.
- Voice biometrics is non-invasive and easy to use: the caller doesn’t have to remember a complex password, carry a specific device, or speak a particular language
- Decreased vulnerability by providing a layer of security that is very difficult for unauthorized users to access and steal
- Can be more cost-effective as it reduces the costs associated with other methods of authentication such as agent and OTP based authentication
- Provides significantly high accuracy with a low rate of false positives and false negatives
- Not all callers may be able to use voice biometrics due to physical disabilities or medical conditions
- Not all contact centers have speech based IVR/IVA applications, relying solely on DTMF (key presses)
- Some callers may be uncomfortable with collection and storage of biometric data privacy concerns
The use of multi-factor authentication (MFA) in IVR/IVA platforms requires users to provide multiple forms of identification before they are granted access to information or services. Typical MFA strategies involve:
- Something the caller knows: this is often an account number, member ID, social security number, or PIN.
- Something the caller has: this is typically a mobile device that must be present in order for the caller to confirm their identity.
- Something the caller is: this refers to biometrics, which are typically voice based in an IVR/IVA environment.
One way this may be implemented in an IVR application is to first ask the caller to provide a piece of information (something they know), such as an account number. The next step in the process could be a mobile push or OTP to the mobile device on file for that account (something the caller has), and the final step might be to evaluate the caller’s voice as they provide their account number or OTP passcode (something the caller is). MFA can involve two or all three of the factors when authenticating a caller.
- By combining multiple forms of identification, MFA can provide a higher level of security than a single authentication method
- MFA typically meets most industry standards for compliance with regulatory requirements
- When designed properly, MFA can provide a more convenient and expedient authentication process
- MFA can reduce the cost per call by decreasing the average handle time associated with the call
- If not designed properly, MFA could add friction to callers which could negatively impact the customer experience
- Implementation of MFA often requires integration of additional hardware and software, which can increase the costs to service the call
Organizations must carefully assess the potential risks and benefits associated with each method of authentication when designing a modern day IVR/IVA authentication module. Balancing security, compliance, and cost, along with the user experience, is required in order to protect customer data, secure the call, and delight the customer.
As the fraud landscape continues to evolve, it is imperative that enterprises remain vigilant to implement authentication solutions that prevent fraud and maintain customer satisfaction and loyalty.5 Finally, it is critical that organizations invest in the overall design of the solution. Any methodology that is poorly designed can lead to lower customer satisfaction rates and increased cost.
2. Pindrop 2003 Voice Intelligence Report
3. https://pages.nist.gov/800-63-FAQ/ NIST Special Publication 80-63: Digital Identity Guidelines (March 3, 2022) Q-B07: Is the use of knowledge-based authentication permitted?
4. Pindrop, 2022 Voice Intelligence & Security Report, Gomez, Miguel, Dark Web Price Index 2020, Feb 2022,https://www.privacyaffairs.com/dark-web-price-index-2020/
5. Pindrop 2003 Voice Intelligence Report