“Advanced” call center authentication methods have been around for over a decade, with some early leaders in voice biometrics launching offerings 20 years ago. And yet, at a time when $17.7B is spent on authentication per year, 93% is spent on legacy tools like knowledge-based authentication (KBAs) and one-time passwords (OTPs). While many call centers have implemented stronger options like voice biometrics and deepfake detection, requirements for high-net speech make those methods available on only a fraction of your calls, and most calls still fall back to outdated authentication methods. Some of these legacy security leaders are now winding down sales of their outdated solutions. That’s why a truly modern authentication strategy is needed–one that uses multiple authentication methods to build confidence in your caller’s identity, providing coverage that won’t require falling back to dated options for validating callers.

Want to hear from speakers at M&T and Pindrop about the letdown of legacy authentication solutions? Watch the webinar today.

Why legacy authentication methods are dangerous to your call center

Legacy authentication methods like KBAs and OTPs are second nature today, making them an easy sell to callers who appreciate the tangible, familiar “security” of this high friction process. Callers often understand these legacy authentication methods because they put the security process in plain sight, despite the effort it takes to complete them. However, it’s important to remember that these were originally designed as supplementary authentication techniques, not primary techniques. They were meant to be one part of a multi-factor authentication system that includes something you know, something you have, and something you are. Despite this, KBAs and OTPs have become overused in call centers, often serving as a main form of authentication. They’re frequently used as a fallback when stronger authentication methods aren’t available, affecting more callers than expected. What many consumers don’t realize–and what call center managers should be aware of–is that both methods carry significant security risks when used as the primary means of verifying a caller’s identity.

The problem with KBAs

The simple pin to knock down is KBAs. With a 78% YoY increase in data breaches in 2023, we can safely assume that most personal information is accessible to fraudsters. In a controlled study featured in our 2023 Voice Intelligence and Security Report, Pindrop and a national contact center found that over a thirty-day period fraudsters passed KBAs 80% of the time, while genuine customers only passed KBA’s 46% of the time³.

The problem with OTPs

OTPs maintain a veneer of legitimacy, but are increasingly a target for fraudulent activity. In fact, aspiring fraudsters can now purchase tools to harvest* OTPs via advertisements on Telegram for as little as $100.4 Fraudsters are using this information to provide correct responses to OTP. When a human is actively involved in the authentication process, there is risk for fraudulent activity.

Now is the time to remove KBAs and OTPs once and for all from the call center, which will require reconsidering your end-to-end authentication process.

How a Pindrop customer approached modernizing their contact center

M&T Bank (M&T), a Pindrop customer, was an early mover to the modern cloud-based contact center environment. Strong self-service options and modern contact center functionality have been a priority for M&T. When thinking about how to keep their contact center authentication and fraud detection ahead of the latest fraud trends, they switched from their existing authentication solution to Pindrop^Ⓡ Technologies. 

Recently, SVP, Director Enterprise Fraud Policy and Governance at M&T Bank, Aaron Steinitz shared the drivers behind this decision during a webinar with Pindrop:

• Empowering call center agents: Provide agents with advanced technology and real-time analytics to make informed decisions without forcing them to be fraud experts
• Deepfake threat preparedness: Recognize the imminent threat of deepfakes and invest in future-proofing solutions to combat emerging scams
• Holistic authentication approach: Balance customer trust with actual security measures, educate customers on new processes, and make risk-based decisions using data from voice channels to strengthen overall security

Building a future-proof authentication strategy

Contact center leaders may be inclined or pressured to react to the latest threats, like deepfakes, without laying a proper foundation of strong authentication practices. While we are supportive of deepfake detection in authentication (as demonstrated by our Pindrop^® Pulse™ technology and Pindrop^® Pulse™ Inspect solution), there is greater risk associated with leaving legacy methods like KBAs and OTPs for any portion of your calls.

For example, our customer M&T considered the following when considering modern authentication practices in their call center:

1. Implement true device authentication: OTPs posture as device authentication, but with the rate of fraudster interception, they no longer provide a strong indication of device ownership. Look for passive, strong device authentication, like our Phoneprinting^® Technology capability, which uses signals coming from the device itself, helping to ensure you’re getting the right device match.
2. Fortify voice authentication: Voice is well-known, and despite threats from increasingly prevalent deepfake technologies, is still one of the strongest methods for authenticating an individual. Voice vulnerabilities can be reduced when it’s paired with liveness detection and made part of a multi-factor authentication approach.
3. Integrate passive authentication factors: Fraudsters are well-trained in social engineering, so any active caller involvement is a risk, even when it’s done by the right person. Passive authentication factors (those that require no specific action to be done) take the human out of the loop entirely, and provide stronger authentication on a larger percentage of calls, reducing the need for fall-back methods.

Ready to learn how you can eliminate KBAs and OTPs for good? Listen to our recent webinar: The Legacy Letdown: Why Industry Leaders Are Moving to Pindrop.

*harvest: a technique that involves intercepting OTPs to gain access to sensitive accounts and data.

¹Contact Center Babel, The 2024 US Contact Center Decision-Makers’ Guide

²Federal Trade Commission, Consumer Sentinel Network Databook, 2024

³Pindrop Voice Intelligence and Security Report, Let the Right One In, 2022

⁴ Example advertisement on Telegram channel “Spoof SS7″ with over 1,250 subscribers