Getting Contact Center Authentication Right in 2021

Matt Smallman Avatar Matt Smallman
&
Dan Miller Avatar Dan Miller
21 min watch
Recorded on

Members Only

You need to be a member of the Modern Security Community to continue watching this content. Please use your work email address to register or sign in:

Dan Miller of Opus Research and I got the opportunity to sit down virtually and discuss the continued challenges of AuthenticationAuthentication is the call centre security process step in which a user's identity is confirmed. We check they are who they claim to be. It requires the use of one or more authentication factors. in the contact centre. This was the first of what I hope will be many conversations as part of our joint Business of Intelligent Authentication series. Dan has so much experience in how this market has evolved it was great to hear his perspective, and it got me thinking as well.

We covered a wide range of topics, including

As this is our first attempt, please bear with any minor production issues and feel free to let Dan or I know if you have any suggestions for improvement or topics you'd like covered.

Participants

Matt Smallman Avatar

Matt Smallman

Matt is the author of “Unlock Your Call Centre: A proven way to upgrade security, efficiency and caller experience”, a book based on his more than a decade’s experience transforming the security processes of the world’s most customer-centric organisations.

​​Matt’s mission is to remove “Security Farce” from the call centre and all our lives. All organisations need to secure their call centre interactions, but very few do this effectively today. The processes and methods they use should deliver real security appropriate to the risk, with as little impact on the caller and agent experience as possible.​

​Matt is an independent consultant engaged by end-users of the latest authentication and fraud prevention technologies. As a direct result of his guidance, his clients are some of the most innovative users of modern security technology and have the highest levels of customer adoption. He is currently leading the business design and implementation of modern security for multiple clients in the US and UK.

Dan Miller Avatar

Dan Miller

Dan Miller has over 25 years experience in marketing, business development and corporate strategy for telecom service providers, computer makers and application software developers. Dan founded Opus Research in 1985 and helped define the Conversational Commerce marketplace by authoring scores of reports, advisories and newsletters addressing business opportunities that reside where automated speech leverages Web services, mobility and enterprise software infrastructure.

Transcript

[00:00:00] Matt Smallman: Hi, and thanks for joining us. I'm at the moment I'm head of consulting at SymNex consulting or help organizations apply new technologies to customer experience problems. 

[00:00:11] Dan Miller: Wow. And I'm Dan Miller. Lead analyst at Opus research. And we do analysis of technologies that we call conversational and we've been covering this area of authenticationAuthentication is the call centre security process step in which a user's identity is confirmed. We check they are who they claim to be. It requires the use of one or more authentication factors. and intelligent authentication 

[00:00:26] Matt Smallman: for, and, and today we're going to be talking about the challenges, identificationIdentification is call centre security process step in which an individual record is found in the organisation's systems of record. In this step users claim an Identity. authentication and the contact center and what you can do to address them as we move into 2020.

[00:00:35] Dan Miller: Right. But the overarching theme that the way we're doing it now has certain deficiencies that in many ways, drive customers away, or at least slow them down from completing the tasks that they're after. And may also be deleterious to building trust with your, with your best customers. But I'll, I'll let Matt go into some of the details there 

[00:00:57] Matt Smallman: for me, the main, the main challenge.

Everything else seems to stem from is this continued dependence on knowledge based authentication. That's when we depend on something that caller knows in order to confirm their identity, this is your typical kind of social securitySecurity is one of three key measures of Call Centre Security process performance. It is usually expressed as the likelihood that the process allows someone who isn't who they claim to be to access the service (False Accept). number, date of birth mother's maiden name type challenged and knowledge based authentication isn't in its own, right.

A bad thing. It's mostly that we've just found ourselves dependent. With varied intentionality and the consequences of it are real but often overlooked. It impacts security. Initially. First off, it's obviously hard to make, particularly secure because the same details are used everywhere. The more secure we tend to make it such as biting passwords, the more expensive and potentially less usable.

So some interesting numbers recently foresters research that the 57% of 259 global fall prevention decision-makers reports an increase in contact center fraud in the last year. And the majority of that would have been against knowledge based authentication. Secondarily, it impacts usabilityUsability is the primary performance dimension of the security process. Get it right and both security and efficiency flow, but usability is all wrapped up in human psychology. It’s a complicated subject deeply linked to behaviour, not just that of customers, but also of call-centre agents.. As, as Dan says, regardless of method we use, it's really frustrating because customers consumers across the world hate it.

BTS latest survey where they've been going out every, every year or so. Looking at what they call the autonomous customer in the last year says that 60% of customers say the ID and B takes long and 50% say they would like to spend more. If they trusted the security, the contact center. So we can see it's other hearts.

It's either too hard to get, right. Or it's not secure enough. And I think many posters we see today are actually really security theater that exists to be seen to do something. Even if we all know they're not actually achievement very much. And then finally for me, it really impacts efficiencyEfficiency is one of three measures of Call Centre Security process performance. It represents the actual and opportunity cost of the security process, for example the costs of agent time spent on manual authentication or the missed opportunity for self-service..

There's a bottom line impact beyond fraud. Many knowledge-based authentication processes are very hard to automate. And if. Fail to automate things at the start of the call. We miss the opportunity to do more things for the customer in self-service. Sometimes we choose really obscure questions in the name of security and have to wait for coolers to rifle through their filing cabinets.

Other times we ask lots of questions taking up time that could be better served resolving the coolest query. And then finally, when it all goes wrong, we often tell callers to call back, wait for a letter or go and visit us and an even more expensive physical. 

[00:03:04] Dan Miller: And I'll go a little bit further. This is not news.

There shouldn't be news to many people in our audience. I remember something like the Fido Alliance, which was organized, I think, going on 12 years ago and declaring the password dead at, at that point. Or at least that their objective was to, was to kill the password. And then there was solid reason for that.

And, and, you know, Got into the nuts and bolts of it that, that it's expensive, it's ineffective and it turns off customers G you know, but, but it's compounded now as, as Matt also mentioned, is that we redefined self-service in such a way. So much of the business, we carry out over our smartphones and other devices.

It can be a smartphones. It'd be a smart speaker, could be a regular phone website, just go down the list. It's a continuous process. You know, we call it conversational commerce because it's something that takes place over time. And then there's these moments which might be urgent in many cases, when you reach out, you know, through a voice channel or try to reach a context center.

You want results quickly. So, but, but you also want it to be trusted and personalized. So there's these advantages to authenticating continuously and to making it part of this ongoing conversation. 

[00:04:21] Matt Smallman: I think that really not neatly leads us on to the, the phrase that Dan and team are openness of coined, which is intelligent, authentication.

The time really is right for intelligence authentication now. So, so Dan, do you want to tell us a bit more about what that 

[00:04:32] Dan Miller: means? Right. And, and I don't think just doesn't sound insulting, like, oh, it's, it's authentication. Do it intelligently. We, we we, that we've broken it down into like five different elements and, and continuity is sort of the, over an overarching theme about this, that G if, when you think about it it's, it's really good for.

Companies banks healthcare providers, telecommunications companies, or whomever to already have some element of confidence that a person calling the context center is whom he or she claims to be. So in a way we're working towards a point where you're just looking for those tells or anomalies that might raise a flag.

So what are the, what are the elements here? First of all, The, these conversations are happening in real time. So, you know, there's a lot of discussions about support digital commerce, all sorts of things happening asynchronously, but one thing's for sure when you pick up and you want to talk to somebody Hey, you don't want to be put on hold, but once you're talking you know, you don't want to be stopped to try to answer questions or have or remember your password and that sort of thing.

So this, this notion of doing something with awareness that it has to take place in real time. We also think, you know, according to this notion of continuity and personalization and that sort of thing, that a system of authentication B risk of. So that you don't, if you do have high confidence that an individual is whom they claim to be, you know, for instance, it's Dan using Dan's phone and there's evidence that he is located where Dan originates those calls.

There's really not a lot of reason to lay it on thick and look for very strong authentication, if you're already pretty confident. And that speaks to. Th that speaks to what you can provide, but it also speaks to a requirement that, you know, there is such a thing as a risk engine that is taking into account information about that call about that color so that they can assign some level of risk that, that deals with, you know, how much an agent or an automated system is comfortable providing to that individual before using.

You're asking for more information or that sort of. The third issue is that it'd be adaptive. And I think I've, I've sort of talked to that, that, that you assign a risk profile, both to the individual and what that individual is trying to do. And you adapt in in real time. So we're working a hierarchy here.

The approach to authentication and personalization, I would add that's most appropriate. To both of those who it is, what they're trying to do. Multifactor should be a given. I would argue that there's no such thing as single factor. Cause by the time you sort of are aware of where the device that's, something originated from.

That's like something. The person has you're adding something they know we've, we've counseled towards biometrics as, you know, the something you are and something that can be sort of gauged in the midst of a conversation or you know, more quickly than, than using knowledge base though. It also means you can use knowledge based and in order to get sort of a, a stronger level of confidence that the individual is whom he or she claims to be, and that they're entitled to do the sorts of things.

You know, Andrew can pull up information at the individual. And the third is, is multilayer. Which I think, you know, that that's one of the more problematic terms. Matt might have a better idea of what this means, but one thing is to think about is to me, it matters. To this notion that, that the infrastructure, the hardware, the software that supports authentication is secure by design.

And that there's an awareness that these conversations take on a wait, should we stop? Cause Derek saying that, that he lost me, but did you lose me? 

[00:08:44] Matt Smallman: Huh. 

[00:08:45] Dan Miller: Okay. Well, you have to edit this one out, but, 

[00:08:48] Matt Smallman: That's fine. It records in your local browser and then sends the file afterwards. So you don't have to worry about connectivity.

We do lose it. It's it should still keep going, but I can cut it. 

[00:09:00] Dan Miller: That's good to know. So Derek says okay. But anyway, so let me see where it was. 

[00:09:04] Matt Smallman: Yeah, so, 

[00:09:07] Dan Miller: yeah, exactly. So multilayered is, is the final sort of attribute of intelligent authentication and it's a little squishier but to my mind that it maps to this concept that all of the infrastructure, hardware, software communications networks, and that sort of thing, be secure.

By design from the beginning. So, I mean, there'll always be some point of weakness or an attack surface if you will. But you know, eventually you have to be thinking about end to end encryption about if there's data being transferred over the voice channel or, or whatever that that it, that.

Be diverted or, or victim of a person in the middle sort of approach that, that there is, you know, some design principles that, that put security as, as well as convenience upfront that it's a, it's a matter of design. 

[00:10:01] Matt Smallman: Wow. So, so a lot of things for people to get, right. I guess if you guess, if you take, if you take a step back from that, you don't.

All of that. I think that's what you would kind of define as your kind of vision for intelligent authentication. I think even just taking one or two steps to being more intelligent and authentication is, is better than we are today. And from my perspective, some of those, some of those first steps need to really be about.

Balancing usability with risk. You, you called it some risk aware, but I think we need to make the, the effort that the customer goes through proportional to the, their perceived risk of the thing that they're doing. For me, the best kind of usability is when there is nothing to use the quarter and all the agent doesn't need to do anything.

And there are a range of technologies out there. Contribute to intelligent authentication and it's kind of passive friction-free and effortless mechanisms. So they have to be top of the list of things you'd look at. And you talked about biometrics in a second grade and if you use a struggle to use those technologies, then we're going to impact some other element of the experience.

No one calls a contact center to prove they are to prove that they are, who they claim to be. They call to get stuff done. So the more we can get our processes out the way, the better. And I also like to think about balancing two sides of the same coin. The first is authentication, which is about increasing our confidence about the caller is who they say they are.

And the second is really fraud detection or anomaly detection like reducing the risk that the call is fraudulent or there's something suspicious going on. For me, ultimately authentication has the greatest long-term benefit. Like if we can be really sure. Everyone who's calling is who they claim to be.

Then there isn't a lot of need for fraud detection. But that can be a long, long and hard journey. And so we can see some really dramatic impacts just from combining for detection, with authentication approaches. So we we've, we've talked about, we've talked about some of these things. What would you tell us about this kind of concepts?

What do you, what do you see as some of the most promising technologies in this space? 

[00:11:46] Dan Miller: Yeah. And, and bear mind. I'm going to recite these as a very interested third party analyst. I think we can bounce ideas back and forth about sort of their, their likelihood and appropriateness and readiness. For easy deployment, but, you know, I spoke to the fact that that no single authentication or technology is existing in a background.

What Opus homed in on and has seen evolve was initially using voice biometricsVoice Biometrics uses the unique properties of a speakers voice to confirm their identity (authentication) or identify them from a group of known speakers (identification). as a factor for strong authentication. And now it maps to, Hey, using your. As part of a multifactor security or authentication you know, methodology and there's been advancements there that are very, very interesting to me.

You spoke about stuff that doesn't require a specific action either by the agent. Color. And that speaks to, you know, looking at what, what can be done passively and in the background. And that speaks to, you know, passive authentication or text independent voice authentication turns out to be really, really interesting.

Also on the horizon. And this, this is just a slight departure from that. Just methodologies for that are behavioral in nature. And I say it's only a slightly different is the neat thing about boys from the beginning had been that there, there there's a physical element to it very much like a fingerprint that doesn't ever change, that the nature of your voice reflects the, the shape of your vocal.

Passages and that sort of thing, but it's also a behavioral factor because the way you speak your cadences, the words you use and that sort of thing are, are starting to be recognized as a behavioral factor, like so many others And that, that interest into this. So many others that we're hearing about with which there there's, you know, it uses me like keystroke analytics or something like that, but how people are keying things into their phone, how they're holding their phone there, there's a number of other sort of behavioral issues.

That are behavioral tells if you will, that lead to strong and quick and passive authentication. And I think we're seeing, you know, with the, with cameras being everywhere, of course, the, the combination of, of face ID, not just for device activation but for trans you know, for providing some level of confidence that the individual is whom he is he or she claims to be.

So it's. This move to behavioral, the addition of of more factors being taken into account to inform that risk engine. That's where I think that there's a lot of action, but I, I want to hear what, what you're seeing, you know, among your clients in terms of the uptake or the readiness to sort of incorporate these new things into the, the mix of.

[00:14:47] Matt Smallman: Yeah. And I think, I think that's a really interesting mix of technologies in there. And certainly some of those were my to watch list as well. Well, I think we've seen, well, I've seen certainly as I kind of transitioned over the last few years when kind of voiced by metrics, being the golden answer to every problem.

When in fact it's probably we've asked you have seen some great examples in financial services where it's been intelligent and implied. Drives huge improvements in security and usability is simply, won't be right for everyone. And even those, for those who, for whom it is, right. It's just one kind of tool in the toolbox.

And what we really need to be thinking about doing is filling our toolbox with appropriate tools and then choosing the most appropriate tool depending on the context of the customer and, and their inquiry and the risk. And that is intelligent authentication. So whilst we have voice for metrics, we even have some really simple stuff that we're still not making the best use of.

So in some low risk scenarios, simple kind of Annie matching matching the, the inbound phone number with the recognized for the customer's records is, could be a loan, could be good enough for the majority of customer interactions. In low risk environments. And then there's a range of anti spoofing and fall detection tools that can give increased confidence.

That that number really is the number that that called you. So I think there's some really easy wins there. There's still a big missed opportunity. I think for combining device-based security from the digital channel, a lot of organizations have done a great job with apps and with their digital channel.

But they really haven't. Talk to the telephone channel. And a lot of those users are coming from one to the other. Except we have no transfer of contacts and we have no transfer of security. So I think there's some really easy opportunities and we've seen some. Really technically simple stuff to do, like clicks or call with a bit of authentication tacked on the end from inside your app.

And I'm sure. And the same as feasible from, from another number of other digital channels. And then, then, like Dan said these, these aren't necessarily fully proven in the authentication context, but I know they're already proving their worth in the fraud detection space as these behavioral tools.

So not necessarily kind of looking. Kind of how the customer's doing the same thing each time, but looking at what are those telltale behaviors that fraudsters do all of the time. And if we can identify those with a high degree of confidence, that we don't need to put everyone else through such huge hurdles in order to get them in.

And I think there's some really, really useful work coming out from a variety of different vendors in that space. And I'm looking forward to how that even gets extended in terms of authentication as well. So it's pretty clear that for me, I think it's not gonna be any simpler in the future that there isn't a one size fits all solution that will wipe away everything that went before.

And I think that then comes back to the kind of thinking about intelligent authentication as a whole. And the missing component I see for many companies is this kind of. Orchestration they're like, so let's, let's face up to the reality that we're going to have many ways in which we may want to authenticate and increase our confidence and reduce the risk of fraud in a call.

But what we need to do is to be able to tie those altogether and be able to present both the color and often the agents or our automated systems with appropriate decisions for that. So I think before you can start doing. Everyone would need to take a step back and be more intentional as I set up the funds about exactly how we want to authenticate callers in the future.

[00:17:55] Dan Miller: Yeah. And this kind of lays the foundation for a number of future conversations. We're going to have Matt, when you think about it. There you, you, you pointed to specific gaps in solutions. This one that does relate to continuity, you know, to having the confidence that an individual that's been to the website that's doing or been in the mobile app hits click, the call should not have to reauthenticate if they've done it already.

So this notion of, of repetitive authentication, we didn't pay enough attention to the other. It's just the exposure to false negatives. It's sort of like and you've been in internal discussions, you know, at, at your clients where the person from security will say something like I cannot tolerate a.

Positive. I can't have an imposter come in here. But I think from a customer's point of view and we are doing more than paying lip service to customer experience it's the false negatives that drive you nuts. And, and, you know, not a day goes by for me where I haven't failed to authenticate with my finger on my phone to activate it and end up putting in my password.

I think I'm 50 50 with, with some of the technologies that are supposed to be vital, you know, in, in addition, not remembering passwords or failing these, these quads, I you know, challenge questions. Yeah, we, we just have to. Be aware that we're in this multi authentication for the purpose of personalization and convenience world.

And we have the technologies available to fill in the gaps. And, you know, we'll talk about some of the specifics of those in, in our future chats here. 

[00:19:40] Matt Smallman: Thanks Don. Yeah, I think, I think in terms of some actionable steps that people can take away from today's conversation the first, the most important thing to do, and hopefully you've made this point is, is to take a step back that there is no right or wrong way to do this.

And very few people have a blank sheet of paper. So, so a lot depends on the context. Organization, you work in where we've come from and what your priorities are. And we always start by benchmarking this, this current state. And it's always surprising to me how few organizations have a good handle on exactly how these processes performed today against those things we talked about at the start.

I mean, how usable is it? How secure is it and how much does it contribute to the efficiency of your operation? So take a step back and evaluate yourself in those in those ways. And we we've actually built a school called that. Kind of captured our best practice on our website. So if you want a bit more structure to start with, and you're welcome to give that a go.

And 

[00:20:30] Dan Miller: I had, I think there's a lot to talk about, not just between the two of us, but among a community of interested individuals, both on the security side or the digital commerce side. And I recommend bookmarking or visiting Opus research.net to keep. In a thread of discussions of what's going on in quote, intelligent authentication, unquote and also I I'm, I'm on Twitter and trying to, you know, just sort of highlight some of the developments here.

I'm DNM five, four from back in the day when Twitter really wasn't just a text messaging system and they told you to have short handles 

[00:21:09] Matt Smallman: And you can email me at Matt dot Smallman at SymNex consulting.com. That's S Y M N E X consulting.com. And you can learn more about us on our website, www SymNex consulting.com and that's where you find our scorecards as well as more information about contacting us.

And we are hopefully back in a few weeks time, Dan, to talk in more detail about the bottom line benefit case for getting some of this stuff. Dig into a little bit more detail about exactly what we mean by efficiency and the real financial impact of getting some of this stuff. Exactly. 

[00:21:39] Dan Miller: Building the business case.

W where, yeah, I mean, this is very real and you want, wanna, you wanna, you know, bring it down to business 

[00:21:46] Matt Smallman: terms. So thanks so much for joining us. Everyone have a great day and goodbye.