When implementing multi-factor authentication for agent identity, BPOs have historically been in a challenging position for work-at-home agents. Contact centers are required to maintain PCI DSS standards with clean desk policies and also meet their customer's needs which are often competing. However, the path to do both – and do both in a way that is secure and efficient— has been challenging to find. Continuous MFA bridges this gap by enabling BPOs to implement PCI DSS-compliant MFA that is also clean desk compatible while meeting and adapting to customer requests.
In an effort to provide clarity around multi-factor authentication, PCI SSC put out an information supplement document for multi-factor authentication. According to that document, there are three general paths to MFA compliance:
One way (referred to as scenarios by PCI DSS, in this case, Scenario 3) is by using mobile-based hard tokens, either mobile-push-based or mobile-one-time-password-based (TOTP). Both comply with PCI DSS standards according to Scenario 3 but are susceptible to collusive agent threats and phishing. Unfortunately, most BPO customers still require clean desk policies to be met by agents remotely, and any workflow requiring agents to have their mobile devices with them violates clean desk policies.
Image from PCI SSC Information Supplement Multi-Factor Authentication, 2017.
The second path is using On-Device One-Time-Passwords (OD-TOTP), referred to as “Scenario 1” by PCI DSS (see figure below). This approach is low-cost, easy to use, and simple to manage. Still, the MFA supplemental adds that “physical security over the device becomes a required security control” to ensure that only the authorized user can physically interact with the device, otherwise “the overall authentication process is a usage of “something you know” twice” and is not sufficient for access to the cardholder data environment (CDE).
While this workflow may work on-prem, it simply does not work for remote agents. Many BPOs have tried implementing an always-on webcam approach to compensate for the physical control. Still, this measure has proven invasive, poses privacy concerns, and is illegal in places like Colombia.
Image from PCI SSC Information Supplement Multi-Factor Authentication, 2017.
The third approach is to use hard token-based MFA, which is expensive to procure and operate. Unfortunately, one of the challenges of operating a BPO is high employee churn. Often, employees will not return hard tokens when they leave, incurring a replacement cost. If they do return them, there is the IT time cost of de-authorizing and re-authorizing the tokens for a new hire. Tokens are also often lost or broken, and replacing a hard token for a remote employee incurs days of downtime.
Twosense Continuous MFA solves this problem, allowing BPOs to use on-device time-based one-time passwords for WAHA agents in “unsecured environments” and eliminating the need for invasive –and potentially illegal– webcams.
How We Do It
Twosense is a no-phone, software-only, multi-factor authentication solution for contact centers and their customers. Twosense leverages behavior-based, biometric authentication to protect device access with MFA and continuously authenticate the user across the session, once a second, throughout the day. With Twosense, “the individual uses multi-factor authentication (e.g., password and biometric) to log in to a smartphone or a laptop,” referred to as “Scenario 4” by the MFA Supplemental (see figure below).
According to that document, biometric MFA protecting the endpoint is already sufficient for CDE access requiring only “a single authentication factor (e.g., a different password, digital certificate, or signed challenge-response)” for further authentication. By deploying MFA with a biometric factor at device login, BPOs don’t need to provide physical control over the environment as in Scenario 1.
Image from PCI SSC Information Supplement Multi-Factor Authentication, 2017.
This allows BPO contact centers to implement PCI DSS-compliant multi-factor authentication across the board while maintaining the customer's desired clean desk policy. There is a hidden benefit here that deserves attention. BPOs are forced to thread the needle of meeting MFA compliance requirements, and customer demands on an account-by-account basis, which often doesn’t align.
By meeting requirements for PCI DSS across all agents, BPOs can work with customer demands independent of PCI requirements. For example, suppose a customer demands to use single-factor access to their CDE. In that case, this no longer threatens the BPO’s PCI assessment since that is occurring in a compliant fashion with Twosense. Furthermore, if a customer requires OD-TOTPs such as Duo or Twillio Authy for WAHAs, that can be implemented without risking the BPO’s PCI certification since that OD-TOTP is now only a security requirement, but the compliance requirement has already been met.
To learn how Continuous MFA can help your contact center and its customers, schedule your demo with our team here.