Elevating IT Security with Customer Authentication in Call Centres

Date: 24 September 2024

Featured Image

IT security teams and call centres have a lot of privileged access. They have control over accounts and smart devices and if they’re tricked, their privileges can easily be used by a malicious party to get access or exploit the system. So, the cornerstone of proper IT security lies in knowing that there’s a real person on the other end of the line. 

The key to safe customer authentication lies in proper security standards. 

Put simply, it means that the IT system in a call centre needs to have a reliable method of confirming that the person on the other end of the line really is who they say they are. You want to know that you’re really talking to your customer and not some random hacker or scammer.

With that in mind, here are some of the techniques that call centres can use to elevate their IT security standards and make their customer authentication methods more sophisticated.

New call-to-action

1. Multi-factor Authentication (MFA)

We’re going to skip the natural first step of just using a strong password, seeing as how everyone is using passwords, and no platforms will allow you to register otherwise. So, if you are contacting the call centre via your regular account, you already have a password. The password needs to be random, unique, and complex, but on its own, it’s still not enough to protect your account.

Apps like keyloggers can steal even the most complex passwords, but this shouldn’t be too big of a problem if you have MFA in effect. At the very least, you should have 2FA (two-factor authentication), which means that once the password is used, you get a code via email or SMS. 

Now, MFA can involve different forms of identification like biometrics (fingerprints or facial recognition), personal identification numbers (PINs), or verification through a trusted device. This flexibility makes it easier for businesses to adopt solutions that fit their needs while providing potential customers with a seamless and secure experience during their calls.

By requiring multiple forms of authentication, MFA significantly reduces the chances of fraud. Getting a password is easy, but getting a password, access to one’s email and device, and being able to replicate one's face and fingerprint are nearly impossible. 

Now, the main downside of this is the fact that it prolongs the time it takes for people to log into their accounts. This is a huge problem and the main reason why some people avoid using MFA. Then again, with good call center software, you can drastically reduce the time it takes for the customer to get in touch with a representative. In other words, you can save time elsewhere while not having to compromise on your cybersecurity. 

New call-to-action

2. Knowledge-based Authentication (KBA)

Other than just asking for their password and code, there are other ways to confirm it’s really your customer and not an impersonator on the line. Just think about all those Sci-Fi and fantasy shows you watched where a shapeshifter, an alien, or a robot tried to impersonate one of the characters. The way to confirm it’s really them was to either ask them something only they knew, ask them to recall something you did together or look for a quirk that you know they had.

Behavioral authentication is a simpler concept; it’s rarely as flashy as it is on the screen. The correct technical term for this behavioral evaluation is knowledge-based authentication (KBA).

You can start by asking a customer a personal question. This is usually something that they’ve picked in advance, like their mother’s maiden name or the name of the street they grew up in. The problem is that this is something that anyone who has access to your social media can easily figure out. 

A better idea is to go with more complex, random questions. Ideally, the customer would come up with the question themselves, but since a lot of them may struggle to come up with something good (you would be surprised at how hard it is to even come up with a good password on-spot). So, have some suggestions and provide them with a bit of guidance.

Next, you can generate questions not shared by the customer. This is the so-called dynamic KBA. Here, the business can use things like previous caller behaviour, transaction history, previous addresses, etc.

Even if the interaction took place via video call, video transcription can help turn unstructured data into structured data and feed it into business CRM (customer relationship management) software. 

3. Biometric Authentication

In the past, biometric authentication was supposed to be the most accurate and reliable form of confirming your identity. Today, with the emergence of deepfakes and AI voice generators, this is no longer the case. Still, biometric authentication is still more reliable than people give it credit for, and it’s not like its developers are not heavily investing in improving the algorithm that’s supposed to recognize these scams. 

So, what are some of the most common biometric methods used?

The first one is voice recognition technology, which captures the unique characteristics of a customer’s voice to verify their identity. Since everyone’s voice is distinct, it’s a secure way to confirm someone’s identity without requiring passwords or PINs. For call centres, this method also offers convenience, as it fits seamlessly into voice-based customer interactions. 

Many call centres integrate mobile apps that allow customers to authenticate their identity through fingerprint or facial recognition. These biometric methods are highly secure because they’re unique to the individual. Plus, they’re fast, eliminating the need for customers to remember multiple passwords or answers to security questions. 

Biometric authentication often relies on characteristics that are (or at least were, up until recently, really hard to replicate). This means that they’re supposed to be quite effective but also quite quick. Scanning your thumb is a lot quicker than typing a password, and it’s definitely not something that you can forget. 

A biometric scan is a password that you can never forget or lose.

This is a user-friendly alternative to traditional methods. No sequences to memorize and nothing you’re supposed to repeat or remember. Customers just provide a fingerprint or repeat a phrase, and that’s it.  

New call-to-action

4. Continuous Authentication

You have to keep in mind that call takeover is a real thing and a real threat. A recorded part of the call is also possible, as a pre-recorded script. 

So, what you need to do in order to ensure this doesn’t happen to you is to keep verifying the caller’s identity at various points during the conversation, not just at the beginning. This ensures that the person on the call remains the legitimate customer throughout the entire interaction, preventing fraudsters from hijacking the call midway through. 

Continuous authentication monitors for any suspicious behaviour during the call, such as changes in voice patterns or inconsistent information. If anything unusual is detected, additional verification methods can be triggered without alerting the customer, maintaining the smooth flow of the conversation while boosting security. 

This method doesn’t interfere with the natural flow of the conversation. Ongoing monitoring works in the background, ensuring the customer’s identity is continuously validated without interruptions. This approach makes the process seamless for customers while helping call centres maintain robust security standards.

This method allows for a frictionless experience by continuously authenticating the customer throughout the call. Customers won’t need to verify their identity repeatedly, and call centre agents can provide efficient service without being slowed down by multiple security checks, all while maintaining a high level of security. 

5. Risk-based Authentication

Think about the way your m-banking app works. You need a PIN to log in. From there, if you want to buy something online, you may be asked to generate a one-time token or re-enter your PIN. If you just want to check out the account, you can do it without the app bothering you much. 

A similar principle needs to be applied here, as well. 

Risk-based authentication adjusts the level of security required depending on the customer’s profile and activity. For instance, routine low-risk actions might require less stringent security, while higher-risk transactions for unusual behaviours could prompt additional verification steps to ensure the caller is legitimate. 

For high-value transactions or sensitive account charges, risk-based authentication automatically ramps up security measures. This could include requesting additional forms of identification or performing extra checks to confirm that the caller is authorized, providing extra peace of mind in high-stakes scenarios.

Risk-based authentication reduces friction for routine calls by adapting the security process to the customer’s behaviour. For example, if a customer calls from the usual location and requests simple information, they may encounter fewer verification steps, ensuring a quicker and more convenient interaction with the call center. 

New call-to-action

Keeping customer authentication reliable requires you to understand modern threats

The modern world is different. With deepfakes, not even having a video call with the customer is a 100% guarantee that it’s them on the other end of the line. Then, you have call takeovers, hackers studying people on social media, and keyloggers to worry about. In other words, modern call centres need to invest a lot more in customer authentication than they used to. Still, this is mandatory for anyone determined to keep their system tight. 


Author: Srdjan Gombar  

Srdjan Gombar  

Veteran content writer, published author, and amateur boxer. Srdjan has a Bachelor of Arts in English Language & Literature and is passionate about technology, pop culture, and self-improvement. In his free time, he reads, watches movies, and plays Super Mario Bros. with his son.