Agent identity in contact centers is in disarray. Despite the plethora of MFA providers to choose from, when it comes to function, there are very few good options for BPOs. That’s because the reality is that traditional MFA cannot overcome the complex environmental requirements that contact centers and their agents are subject to. In fact, it is such a common difficulty that PCI SSC released an information supplement on multi-factor authentication in 2017 that is still used by QSAs during audits.
With only so many options, contact centers typically end up with an MFA policy that is not really compliant with PCI DSS standards and industry best practices. Most are looking for a PCI-compliant solution that supports a clean desk policy environment without mobile phones. However, the solutions come with some massive downside or hidden cost at every turn, making teams swallow a bitter pill. For example, hard tokens like Yubikeys fit the bill, but the costs and logistics of management over a high-churn workforce are a nightmare. One-time password generators can be used in a clean-desk-compliant way. However, according to PCI SSC, floating desks are not an option if OTPs are used– creating a logistical nightmare for BPOs with sizable headcounts.
Floating desks are an essential component of most BPOs' contact center operations and refer to workstations that are not assigned to specific individuals but are available for any agent to use on a temporary basis. These desks are commonly used in contact centers where the workloads and schedules of agents vary throughout the day. Floating desks benefit BPOs in several ways, but optimization and cost savings are two of the major advantages of having agents able to use any workstation.
Image from PCI SSC Information Supplement Multi-Factor Authentication, 2017.
The incompatibility of OTP and floating desks leave BPOs looking at security solutions that are much more costly and time-consuming. Hard tokens must be purchased, distributed, and replaced when lost, broken, or unreturned by an exiting employee. Often they are seen as one of the last options for BPOs to be able to authenticate agents and meet PCI DSS standards. But that doesn't make them any less of a logistical and cost nightmare considering an industry average churn of 150%.
All of these factors have left BPOs struggling with agent identity security. Fortunately, the same information supplement shows a clear path for implementing MFA efficiently, compliantly, and securely. During a recent collaboration with a BPO and their PCI QSA, a new, simple, affordable path to compliance was found, created through novel capabilities provided by Continuous Authentication. The solution leverages biometrics, which usually is out of budget due to hardware requirements, but made viable and affordable with software
Scenario 4 of the information supplement on multi-factor authentication, as seen below, very clearly breaks down the benefit of using biometric authentication to log into the workstation. The biometric authentication at the initial login allows there to be more leniency for the second portion of the authentication process. Because a biometric factor and another factor, in this scenario, a password, were used at the initial login, the individual can provide a single authentication factor, such as a certificate to establish a non-console connection to the CDE/corporate network (e.g., a different password or challenge response).
Image from PCI SSC Information Supplement Multi-Factor Authentication, 2017.
Given what we know about contact centers' challenges with MFA, it often feels like no reasonable solution is available– until now. Twosense has developed a first-of-its-kind software that enables BPO contact centers to use one-time passwords and maintain floating desks. In accordance with the PCI SSC documentation, this moves BPO security from scenario 1 to scenario 4.
Continuous MFA is a software component installed directly onto the BPO’s agents’ devices and doesn’t require hardware or any form of user enrolment. That means no one needs to beg users to install a mobile app on their personal phone or send reminder emails that users need to enroll through a portal. No further action is required once the Twosense agent is installed on each user’s machine. Twosense MFA is completely unphishable and does not require any training. Users don’t need to modify their behavior; they just continue working uninterrupted.
Leveraging machine learning and passive biometrics, Twosense is able to create a unique biometric profile for each user. Each model learns and adapts to changing behaviors to biometrically authenticate the user at every MFA challenge in an invisible way. The more behavior is observed, the more confident Twosense can be that the user is who they claim to be. Twosense can validate the user's identity and authenticate them not by what they’re doing but by how they’re doing it, generating a level of trust for every interaction in the background. That trust score is then used to authenticate the user continuously throughout the day or flag suspicious behavior.
Unlike traditional MFA, no password, token, or device can be stolen and used to bypass security. In the event of an outside attack, if the attacker doesn’t have the Twosense agent, their authentication goes no further. If the attacker uses something like an RDP to access a compromised user’s machine, the behavioral mismatch will be identified, and action can be taken within minutes.
In addition to Continuous MFA enabling BPOs be able to utilize OTPs and floating desks, implementing biometric continuous authentication also enables BPOs to head into their upcoming PCI DSS certifications confidently. Although PCI v4.0 Requirement 8 won't go into full effect until March 2025, many BPO customers are demanding identity security aligned with the updated requirements right now. Having an identity security policy that is v4.0 compliant ahead of schedule gives BPOs a competitive edge when it comes to acquiring and retaining customers and passing their annual PCI assessments.
To learn more about how Twosense Continous MFA can help your contact center, schedule your call with our team here.