Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Contact Center Authentication


Published on

You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?

Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Contact Center Authentication

  1. 1. Contact Center Authentication Kelley Robinson | OWASP AppSec California 2019 @kelleyrobinson
  2. 2. This talk has everything • My social security number • My mother's maiden name • The email I briefly used 11 years ago • Accidental phishing
  3. 3. Kelley Robinson Contact Center Authentication @kelleyrobinson
  4. 4. Millennial spends 14 hours on the phone with customer support agents Kelley Robinson @kelleyrobinson
  5. 5. @kelleyrobinson ☎ 🔐👋 $
  6. 6. @kelleyrobinson 🔍 Research Parameters
  7. 7. 1. I have an existing account 2. There is personal info tied to my account (i.e. orders, data) 3. Company has a customer support phone number 4. USA phone number 5. Inbound calls @kelleyrobinson 🔍 Research Parameters
  8. 8. • Mostly information gathering (read) • Limited actions and account changes (write) - This can and did trigger additional security @kelleyrobinson 🔍 Research Parameters
  9. 9. @kelleyrobinson
  10. 10. @kelleyrobinson ☎ Getting in touch
  11. 11. ☎ Getting in touch over the phone @kelleyrobinson 1. Customer support number 2. "Call me" 3. No phone number i.e. Home Depot, Comcast, State Farm i.e. Walmart, Amazon, Verizon i.e. Facebook, Lyft
  12. 12. @kelleyrobinson 📲 On the phone
  13. 13. • Most use Interactive Voice Response (IVR) to direct you to the correct use case • Rarely does your IVR input matter if you end up talking to an agent @kelleyrobinson 📲 On the phone
  14. 14. 1. Automated with the phone number you're calling from 2. Automated with provided info like account number 3. Manual with an agent @kelleyrobinson (identification)📲 On the phone
  15. 15. @kelleyrobinson Identity Authentication Personal information (i.e. date of birth) Google-able, probably doesn't change Proof of identity, usually with a secret (i.e. one time password)
  16. 16. @kelleyrobinson Identity != Authentication
  17. 17. @kelleyrobinson
  18. 18. @kelleyrobinson 📊 The Results
  19. 19. @kelleyrobinson Authentication Call center identification
  20. 20. @kelleyrobinson 🙌 The Good 👍 The OK 👎 The Bad 😰 The. . . oh. . . oh no
  21. 21. @kelleyrobinson 🙌 The Good Actually authenticating users • One time codes for authentication • Refusing to disclose personal information Bonus Delight: • Apple lets you choose your hold music 🎵
  22. 22. @kelleyrobinson 🙌 Automated intro: “Welcome to Netflix. For faster service, log in to and find the 6 digit service code located at the bottom of any web page. ”
  23. 23. @kelleyrobinson 🙌
  24. 24. @kelleyrobinson 👍 The OK Room for improvement but still positive • Recognizing the phone number you're calling from • Verifying multiple forms of personal information • Prompting with relevant account actions
  25. 25. @kelleyrobinson 👍 Automated intro: “Welcome back, Kelley. I see you're flying from Los Angeles to Newark Liberty today, are you calling about that trip? ”
  26. 26. @kelleyrobinson 👎 The Bad Phishing risk with minimal effort • Only asking for one form of identity • Identity is easily accessible public information • Requiring a Social Security Number
  27. 27. @kelleyrobinson Why are Social Security Numbers Bad Authenticators? Meet Mrs. Hilda Schrader Whitcher Social Security Administration History
  28. 28. @kelleyrobinson “In fact, a valid SSN can be easily guessed, as they were issued serially prior to June 25, 2011. Wikipedia
  29. 29. @kelleyrobinson 😰 The. . . oh. . . oh no Wait. What just happened? This is problematic. • Giving out identity information • Allowing account changes without authentication • Asking what phone number to send an SMS token to*
  30. 30. ✅ Recommendations
  31. 31. @kelleyrobinson 🤖 Unify authentication systems
  32. 32. @kelleyrobinson • Use the same rigor for authentication over the phone as you do on your website • Honor user settings for things like 2FA 🤖 Unify authentication systems
  33. 33. @kelleyrobinson Case Study
  34. 34. @kelleyrobinson Pre-call
  35. 35. @kelleyrobinson Context During call
  36. 36. @kelleyrobinson 🤔 After call
  37. 37. @kelleyrobinson What about my TOTP?
  38. 38. @kelleyrobinson 💁 Build guardrails for agents
  39. 39. @kelleyrobinson • Limit caller information available to agents • Only expose information after a caller is authenticated • Have a small subset of agents that have access to do the most sensitive actions • Perform silent authentication 💁 Build guardrails for agents
  40. 40. @kelleyrobinson 💁 Build guardrails for agents Verify caller email address before continuing: Verify caller email address before continuing: VerifyEnter email here vs. ✅ Agent Dashboard 1 Agent Dashboard 2
  41. 41. • Do a risk assessment using provided identity • Have behind the scenes fraud detection @kelleyrobinson 💁 Build guardrails for agents
  42. 42. @kelleyrobinson 🔐 Consider your Threat Model
  43. 43. @kelleyrobinson • What are you allowing people to do over the phone? • Limit sensitive actions if you can't implement true authentication 🔐 Consider your Threat Model
  44. 44. @kelleyrobinson 1 International Differences
  45. 45. @kelleyrobinson Case Study
  46. 46. @kelleyrobinson “It’s culturally acceptable to use your national ID number for identification (e.g. at the supermarket, the cashier will ask you for your ID number to credit your loyalty card). ”
  47. 47. What next?
  48. 48. @kelleyrobinson ✅ Actually authenticate users 📵 Don't share personal information 🤖 Unify authentication systems 💁 Build guardrails for your agents 🔐 Consider your threat model Takeaways
  49. 49. @kelleyrobinson THANK YOU! @kelleyrobinson
  50. 50. @kelleyrobinson