You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.
7. 1. I have an existing account
2. There is personal info tied to my account (i.e. orders, data)
3. Company has a customer support phone number
4. USA phone number
5. Inbound calls
@kelleyrobinson
🔍 Research Parameters
8. • Mostly information gathering (read)
• Limited actions and account changes (write)
- This can and did trigger additional security
@kelleyrobinson
🔍 Research Parameters
11. ☎ Getting in touch over the phone
@kelleyrobinson
1. Customer support number
2. "Call me"
3. No phone number
i.e. Home Depot, Comcast, State Farm
i.e. Walmart, Amazon, Verizon
i.e. Facebook, Lyft
13. • Most use Interactive Voice Response (IVR)
to direct you to the correct use case
• Rarely does your IVR input matter if you end
up talking to an agent
@kelleyrobinson
📲 On the phone
14. 1. Automated with the phone number you're calling from
2. Automated with provided info like account number
3. Manual with an agent
@kelleyrobinson
(identification)📲 On the phone
21. @kelleyrobinson
🙌 The Good
Actually authenticating users
• One time codes for authentication
• Refusing to disclose personal information
Bonus Delight:
• Apple lets you choose your hold music 🎵
26. @kelleyrobinson
👍 The OK
Room for improvement but still positive
• Recognizing the phone number you're calling from
• Verifying multiple forms of personal information
• Prompting with relevant account actions
28. @kelleyrobinson
👎 The Bad
Phishing risk with minimal effort
• Only asking for one form of identity
• Identity is easily accessible public information
• Requiring a Social Security Number
29. @kelleyrobinson
Why are Social Security
Numbers Bad Authenticators?
Meet Mrs. Hilda Schrader Whitcher
Social Security Administration History
30. @kelleyrobinson
“In fact, a valid SSN can be easily
guessed, as they were issued
serially prior to June 25, 2011.
Wikipedia
31. @kelleyrobinson
😰 The. . . oh. . . oh no
Wait. What just happened? This is problematic.
• Giving out identity information
• Allowing account changes without authentication
• Asking what phone number to send an SMS token to*
34. @kelleyrobinson
• Use the same rigor for authentication over
the phone as you do on your website
• Honor user settings for things like 2FA
🤖 Unify authentication systems
41. @kelleyrobinson
• Limit caller information available to agents
• Only expose information after a caller is
authenticated
• Have a small subset of agents that have access to do
the most sensitive actions
• Perform silent authentication
💁 Build guardrails for agents
42. @kelleyrobinson
💁 Build guardrails for agents
Verify caller email address
before continuing:
grace.hopper@gmail.com
Verify caller email address
before continuing:
VerifyEnter email here
vs.
✅
Agent Dashboard 1 Agent Dashboard 2
43. • Do a risk assessment using provided identity
• Have behind the scenes fraud detection
@kelleyrobinson
💁 Build guardrails for agents
45. @kelleyrobinson
• What are you allowing people to do over the
phone?
• Limit sensitive actions if you can't implement
true authentication
🔐 Consider your Threat Model
48. @kelleyrobinson
“It’s culturally acceptable to use your
national ID number for identification (e.g.
at the supermarket, the cashier will ask
you for your ID number to credit your
loyalty card).
”
51. @kelleyrobinson
✅ Actually authenticate users
📵 Don't share personal information
🤖 Unify authentication systems
💁 Build guardrails for your agents
🔐 Consider your threat model
Takeaways