You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone.
5. 1. I have an existing account
2. There is personal info tied to my account (i.e. orders, data)
3. Company has a customer support phone number
4. USA phone number
5. Inbound calls
@kelleyrobinson
🔍 Research Parameters
8. ☎ Getting in touch over the phone
@kelleyrobinson
1. Customer support number
2. "Call me"
3. No phone number
i.e. Home Depot, Comcast, State Farm
i.e. Walmart, Amazon, Verizon
i.e. Facebook, Lyft
10. 1. Automated with the phone number you're calling from
2. Automated with provided info like account number
3. Manual with an agent
@kelleyrobinson
(identification)📲 On the phone
16. @kelleyrobinson
🙌 The Good
Actually authenticating users
• One time codes for authentication
• Refusing to disclose personal information
Random Bonus Delight:
• Apple lets you choose your hold music 🎵
21. @kelleyrobinson
👍 The OK
Room for improvement but still positive
• Recognizing the phone number you're calling from
• Verifying multiple forms of personal information
• Prompting with relevant account actions
23. @kelleyrobinson
👎 The Bad
Phishing risk with minimal effort
• Only asking for one form of identity
• Identity is easily accessible public information
• Requiring a Social Security Number
24. @kelleyrobinson
😰 The. . . oh. . . oh no
Wait. What just happened? This is problematic.
• Giving out identity information
• Allowing account changes without authentication
29. @kelleyrobinson
• Remember the user experience
• Take advantage of the voice platform
• Honor user settings for things like 2FA
🤖 Match the Rigor of Web Authentication
35. @kelleyrobinson
• Limit caller information available to agents
• Only expose information after a caller is authenticated
• Have a small subset of agents that have access to do the
most sensitive actions
• Perform silent authentication
💁 Build guardrails for agents
36. @kelleyrobinson
💁 Build guardrails for agents
Verify caller email address
before continuing:
grace.hopper@gmail.com
Verify caller email address
before continuing:
VerifyEnter email here
vs.
✅
Agent Dashboard 1 Agent Dashboard 2
38. @kelleyrobinson
• What are you allowing people to do over the
phone?
• Limit sensitive actions if you can't implement
true authentication
🔐 Consider your Threat Model
41. @kelleyrobinson
✅ Actually authenticate users
📵 Don't share personal information
🤖 Match the rigor of your web authentication
💁 Build guardrails for your agents
🔐 Consider your threat model
Takeaways