Web applications often have secure login systems—maybe even 2FA—but what happens when a customer calls the customer support phone number? Security teams and app developers have thought a lot about online authentication, but haven't applied the same rigor to designing systems for authenticating over the phone.
At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This post will take a look at that research and outline best practices to use in call centers.
To test the over-the-phone authentication, I made a list of companies where:
- I have an existing account
- There is personal info tied to my account (i.e. orders, data)
- The company has a customer support phone number
I limited this to US-based companies, or at least companies that had a US support number. I also limited my research to inbound calling: the process of outbound authentication (i.e. Comcast calls me) is a different beast.
With a few exceptions I almost always bypassed automated systems so I could talk to an agent. I always called with my own phone and was accessing my own account information - I never tried to do anything nefarious. I would occasionally ask for additional details about the security of my account but I avoided letting the agent know I was doing this for research purposes.
I also needed to have a use case for calling these places. Most often I would call to get recent orders or account balances or similar information. I had some situations where I needed to change things in my accounts and if I had time I would call to do that.
There were several occasions where I was only met with additional security once I tried to take an action or change something, so not everything I was asking for may have required additional security. For example, Amex validated my phone number to look up account information, but required an SMS one-time passcode when I needed a new credit card mailed to me.
Here are some of the places I called. I'll discuss these in detail in this post, especially calling out the places that are doing things well.
☎️ Getting in Touch
My goal was to call all of these businesses and there were a few common ways to do that.
1. Customer support number
Most retail, utility, insurance, and banking companies have all made it easy to find the customer support number to call them. Some of these places even prefer this communication channel over some kind of text help form. Examples include Home Depot, Comcast, and State Farm.
2. "Call me"
More sophisticated tech companies actually make it hard to find the number. Walmart, Amazon, and Verizon push the "call me" feature where you give them a phone number and they will call you when they have an agent available.
3. No phone number
Finally there are the places where there just isn't customer support offered over the phone. I couldn't find a phone number for Lyft and Facebook's phone hotline says they don't offer phone support.
More companies are adopting option two to save money, but I focused on option one for consistency.
📲 On the Phone
Once connected there are a lot of similarities between how companies build out their customer support lines. Most use Interactive Voice Response (IVR) to direct you to the correct use case. Unfortunately, rarely does IVR input matter if you end up talking to an agent.
There are a few common ways call centers attempt initial identification:
- Automated with the phone number you're calling from
- Automated with provided info like account number
- Manual with an agent
But identification is *not* the same as authentication. I can provide my phone number but a lot of people know my phone number, how do I prove that I'm me? Identity for our purposes is going to mean static information like date of birth (DOB). Identity information is usually Google-able (or available for sale on the black market) and probably doesn't change. Authentication is how to prove identity with some secret factor.
❌ Identity != Authentication
Identity and authentication are not the same thing but identity is constantly used to prove other aspects of identity -- especially in contact centers. I heard things like "authenticate your account with your Date of Birth" more times than I would have liked. DOB is not a secret, it's just a piece of information about me that won't change.
📊 The Results from Calling Dozens of Contact Centers
This chart shows the different forms of identity and authentication encountered in my research.
phone numbers are the most common form of identification.
name were also commonly used. It was not always clear if names were used for identification or just personalization, though.
Account number includes any kind of ID specific to the company, including things like insurance subscriber ID or the Apple IMEI number on your device.
Sadly I only encountered a few companies that used secrets for authentication. Examples of actual authentication include:
- Pin number
- SMS 2FA
- Service code
- Calling me
I did not count the one time I was asked a security question because they asked me for my mother's maiden name and that's another piece of identity information.
🙌 The Good: Actually Authenticating Users
If a company used any kind of secret it was usually a good experience. This mostly included one-time codes sent through SMS. I also appreciated when they would refuse to give out additional personal information. For example, if I asked what address was on my account most places wouldn't tell me.
A bonus: I was put on hold a lot but Apple was the only place I called that let you choose hold music 🎵.
Netflix's automated intro says: "Welcome to Netflix. For faster service, log in to netflix.com and find the 6 digit service code located at the bottom of any web page."
The service code does refresh but I'm not sure how often. It seems to be time based and not session based. The code did not change after logging out and back in, but the code had changed after waiting a day and checking again.
🙌 American Express
Another example of good authentication came from Amex. They sent me this SMS message after I needed to take an action on my account. Up to that point they had only used my phone number for identification.
I like that they provide a contact number to report fraud in case this is phishing. One thing I'm not a huge fan of is that this text message lacks context - it could mention that I'm trying to call Amex, for example.
👍 The OK: Room for Improvement but Still Positive
Most places fell into this category. It's fine, maybe they did the cost analysis and decided tighter security wasn't worth it, but I still think there's room for improvement.
Some of the good things I saw in this category:
- Recognizing the phone number you're calling from
- Verifying multiple forms of personal information
- Prompting with relevant account actions
👍 United Airlines
For example, United recognizes my number when I call in. It also knows about my upcoming flights, which is useful because there's a really good chance that is what I'm calling about.
There is a risk here because they're providing some location data, but flight info is ephemeral and I think it aids in the overall usefulness of the call. I did have some places like utility companies automatically give me back my full address when I called in from my phone number, and I'm less comfortable with that because that information can be used in a lot more harmful ways.
👎 The Bad: Phishing Risk with Minimal Effort
Companies in this category could be easily phished with basic information about the target. Common things I saw here:
- Only asking for one form of identity
- Required identity is easily accessible public information (phone number or DOB)
- Requiring a Social Security Number
Even if companies were using multiple forms of identity, some places only used common public identity information like phone number, name, or email. I called one financial services company that let me change my password with only my phone number as "authentication" 😟.
And then there's requiring a social security number.
Social security numbers (SSN) are useful for identity because they're not easily Google-able. They're also not an authenticator, because even though treated like a secret, they are not a secret.
Mrs. Hilda Schrader Whitcher was the secretary for the CEO of a wallet manufacturer when social security cards started in the early 20th century. The E. H. Ferree company did an entire campaign to show that wallets could easily hold a social security card. They printed Mrs. Whitcher's real social security number on those cards. Naturally, she had to change her SSN but as recent as 1977 there were still 12 people using her number as their own. The Equifax hack in 2017 opened up the same can of worms that E. H. Ferree did in 1938. Except instead of one person, it's all of us.
Social security numbers were invented for social security. They were never intended to be used for tax purposes or for getting a credit card. On top of that people can probably narrow down a SSN because they were issued serially until June 25th, 2011.
😰 The...oh...oh no: What just Happened? This is Problematic.
Social security numbers are bad, but not the worst of what I saw. I had companies that were:
- Giving out identity information
- Asking what phone number to send an SMS token to
- Allowing account changes without authentication
Giving out identity information was more common than I would have liked. This ranged from asking affirmative questions ("is your username Kelley1234?") to offering details in an attempt to be helpful ("I see we shipped your last order to 123 Main St…"). This is problematic since, as shown, identity information can be used to gain access to accounts.
I was happy when someone used SMS for authentication, but more than one company asked me what phone number to use. One clarified that they were using that information to confirm the number on file, others were not able to make the same assurance. Finally, there were a few places, like the story below, that allowed me to make account changes without ever actually authenticating.
🏨 How I Accidentally Phished a Major Hotel Chain
I started my notes "Wow. No idea what happened here" after getting off a call with a company I'll just call HotelX. I called to get a copy of my room folio from a recent stay sent to my email. The IVR said it didn't recognize the phone I was calling from and prompted me to verify my phone or account number. I typed in my phone number and was connected to an agent. She looked up my reservation with the name, specific hotel name, and check-in date. She then sent the email which did not arrive right away. Sometimes that happens so I didn't think much of it.
Then I asked about the phone number prompt from the beginning and if the system was able to look up the number on my account. She said no, she'd looked up my account with my email. I asked what phone number was on my account and she gave me a phone number: a phone number that was not mine. At this point I was just confused so I wrote down that number and asked her to change the phone number to mine. She did and I ended the call.
After hanging up I logged into my account online to check out what information had been updated. There was no phone number on my account. I used Twilio Lookup to search for the phone number and found out it belonged to a Kathy Robinson. My guess is that the agent misheard my email address and that I accidentally phished Kathy and changed the phone number on her account. Sorry Kathy!
Learning from Accidental Phishing
I don't blame the agent here. HotelX had no systems in place to prevent this kind of mistake from happening. Agents are trained to be kind and helpful. This was hardly the first time someone on the other end has been patient or accommodating when I provided incorrect information or didn't have answers to their questions.
The following recommendations will help prevent both accidental phishing and intentional phishing.
🤖 Recommendation: Match the Rigor of Web Authentication
Conflating identity and authentication creates a messy experience for over-the-phone security. Using things like one-time passcodes helps minimize phishing risk. This includes honoring user settings for things like 2FA.
Overall, Amazon offered strong over-the-phone authentication, but when I inquired about security in the call they followed up with an email advising me to set a strong password. They never asked me for a password in the call.
Strong Authentication: SMS One-time Passcodes
Inputting a username and password over the phone is unreasonable (though some companies did request this in my research!) There are other factors to use for authentication in this context like SMS tokens, which is what Amazon did. Unfortunately I have TOTP 2FA set up on my account and this was never used.
Strong Authentication: Voice Recognition and Verbal Passcodes
"The service records you speaking a passphrase, then confirms your identity when you call by comparing your voice to the recorded passphrase."
Verbal passwords are another potential solution for adding a knowledge factor to your security.
Strong Authentication: Hybrid Platform Security
A good example of hybrid platform security is YouTube authentication on Smart TVs. Like a phone call, typing in a username and password is tough to do with a TV remote. Instead, YouTube displays a one-time passcode on the TV. Then the user inputs the passcode on their phone or computer in an authenticated session. I would love to see contact centers take a similar approach.
💁 Recommendation: Build Guardrails for Agents
Agents are trained to be kind and helpful. Make it easy for them to succeed in helping the customer and hard for them to accidentally do something bad. A few strategies for this include:
- Limit caller information available to agents
- Only expose information after a caller is authenticated
- Have a small subset of agents that have access to do the most sensitive actions
- Perform silent authentication
I called one major retailer who asked for my email address to verify my account. They had already looked up my account with my phone number so I gave them my email but it was incorrect. I legitimately couldn't remember what email I had used so the agent ended up giving me the email's TLD. Once I had that I was able to provide the email, but so would a would-be attacker. To prevent this, here are two options for agent dashboards:
Agent Dashboard 2 is an example guardrail. This is also more time-consuming for the agent, so it's up to the business to determine whether or not the extra security is worthwhile. Since time is a big consideration for optimizing support costs, there are a few other tools that can protect the business and support agents.
- Lookup a phone number to determine the line type (VoIP numbers are correlated with more fraud)
- Provide a risk assessment for the caller with a service like PinDrop
These are actions that can be done before the call ever reaches an agent. If a caller is too risky, either terminate the call or send it to a specialized agent. For example, American Express seamlessly handed me off to a security specialist when I needed to perform a more sensitive action.
🔐 Recommendation: Consider your Threat Model
Price is always going to be a consideration, so think about the application threat model and how much risk to assume over the phone. Determine what actions are allowed over the phone and limit sensitive actions if implementing true authentication is not possible. I called UPS to change the address on my account and they wouldn't let me and instead directed me to do it online. That's a fine solution: I had to create that account online in the first place so there was a reasonable expectation that I could access the account that way.
Phone systems and contact centers are evolving. Twilio Flex is a powerful solution that offers control over the functionality and security of your contact center. Using Authy for one-time passcodes provides actual authentication and a seamless user experience.
The future of call center authentication can include in-app authentication. If the user already has the company's app installed, they can authenticate from their device. There is a lot of data about users that can be used for more fingerprinting and advancements in behind the scenes fraud detection in call centers.
Like everything, there's no perfect solution here but I hope this post has sparked some ideas for increasing security in over-the-phone authentication systems. If your company has a customer support line, call it! Take notes. Think about the holes in your system. If you know companies that are doing this well, have research you'd like to share, or have ideas to make contact center security better, let me know in the comments or on Twitter!