Voice Authentication Needs to Move Beyond Your mother’s Maiden Name
Process is all important when it comes to ensuring that a call centre agent is talking to the person they say they are, and in an age of increasing cybercrime and identity theft we all need to strictly follow process. But why is it all still so tedious – both for the agent and the customer? It’s even more tedious when you get passed from one department to another and you hear the dreaded words again, “now we’ve just got to go through some security questions”. The customer’s heart sinks: “Haven't we just done this? They already know it’s me. Don’t they?”
There are two problems here. One is the slow process of voice authentication and secondly, the inability to transfer authenticated data from one department to another - because there is no digital record of authentication.
It’s not as if the verbal question/answer authentication system is exactly 100% secure. It’s well-known that fraudsters can easily socially engineer details such as date of birth, PIN numbers and that old classic, mother’s maiden name, from members of the public - ironically by pretending to be calling from a call centre. Even better for them, the public’s lax attitude towards personal security on social media such as Facebook has made it even easier for them. It’s extraordinary what people will give way about themselves on these platforms thinking only their “friends” can see it. But that’s another story...
So the systems we have are both time consuming and not particularly secure. What are the alternatives? There are already advances being made in areas such as Knowledge Based Authentication (KBA) which is really a fancy name for asking more wide ranging and deeper questions about a person’s identity which may be far more personal and much harder for criminals to discover and steal (in theory at least). However, while this may protect both parties more effectively, it still means more time consuming procedures for both the customer and call centre agent. Two factor authentication is more secure but token systems don’t lend themselves easily to voice-based authentication.
Voice biometrics is another avenue being investigated but such systems are likely to work best when the voice is recognised directly by the device or entry point being accessed. A phone line suffers from variable call quality which can mask the speaker’s identity leading to authentication failure. Not to mention that people’s voice tones are dependent on health or even the time of day.
I believe the answer may lie in taking advantage of the digital identities that we are all building around ourselves online. This would be a digital extension of the KBA principle mentioned above.
We are creating our own data stacks by dint of our online activity through online shopping, web browsing and social media etc. What if we offered individuals the chance to create their own encrypted digital authentication identity that could generate digital signatures, based on facts from their digital activities? This would be shared between customers and any particular organisation such as a bank or insurance company that sometimes relies on voice based interactions.
The contents of the digital identity would be known only to the customer but to authenticate themselves to the bank, the agent would ask for two or three details from that digital identity. The agent would then interrogate the identity using special software that decrypts the identity, while still hiding the full identity from the agent, and then sending a positive or negative response. The answer would be available in seconds and once authenticated, the digital signature generated could be transferred from one department to another.
This may seem like science fantasy, but surely we need to move on from PINs and our mother’s maiden name. After all, I can’t even remember my mother’s maiden name. But I know what book I last ordered from Amazon...
