As the cost of data breaches increases annually, contact centers are constantly exploring new solutions to enhance the security of their distributed workforces. While existing solutions have long kept threats at bay, they’re not often robust enough to thwart modern attacks. Attackers are resorting to advanced phishing attacks using AI and deepfakes. Most contact centers are defenseless against these tactics, and threat actors exploit traditional authentication solutions vulnerable to human error.
At this point, contact centers must explore automated MFA solutions to defend their infrastructure and customer data. This article explores Twosense's automated MFA and how it better protects contact centers.
Agents have been authenticated using user names and passwords for a long time, but this often proved insufficient. Agents would use simple passwords or write them down, which creates security risks. Attackers also frequently resort to brute-force attacks that render passwords useless.
Contact centers started employing two-factor authentication in their systems to enhance their security. These systems rely on something the users have, such as their phones or physical security keys. Some of the traditional 2FA solutions were:
Once the agent enters the correct username and password, the system will send a one-time password as an SMS or an email. The system will grant access only after the agent enters the correct password.
These apps are connected to the application or system you want to secure and generate random codes. Once the user enters their password, the system will ask for the 2FA codes. The user opens the app on their phone and enters the code, and if they match, the system will allow the user access to the system.
Here, the agent’s phone acts as a security token. Once the agent enters their credentials, the system will send a push notification to their phones, which the user will accept to gain access to the system.
These look similar to thumb drives but are commonly used for two-factor authentication in enterprise systems. These tokens can be configured to log in to many systems or services. In practice, once the device is set up, the user simply has to plug the key into a USB slot and tap the sensor on the key.
To meet contact centers ' security demands, traditional authentication solutions must be more comprehensive. Phishing and other social engineering attacks are among the top 5 most frequently deployed attacks against BPOs. Advances in AI and deep-fake technology have made it difficult to defend against these attacks. OTP-based logins, phone-as-a-tokens, and 2FA apps have proven ineffective against sophisticated social engineering hacks.
Contact centers also face high employee turnover rates, making it difficult to train them well to spot phishing attacks–beyond broader conversations about whether or not security should be everyone's responsibility. This also makes it difficult for contact centers to use hardware security keys. Large organizations with significant employee turnover need separate teams to manage and keep track of security keys. Based on data from some of the largest BPOs, our team found that hard token replacement rates are around 10% monthly.
Month over month, unreturned and damaged hard tokens add up. Annually, the organization was looking at a 100% replacement rate. For a 1,000 agent headcount and an initial 1,000 tokens, ongoing procurement of 1,800 annually is required.
Contact centers are often subject to clean desk policies that reduce insider threats and fraud. This further prevents the use of phone-based authentication solutions in these environments.
Another drawback of traditional authentication solutions is that they only authenticate users at specific points in time, such as when they try to log in. If an attacker manages to get into the system, they can remain undetected and travel laterally until the next authentication attempt. While IT admins can configure these systems to require employees to authenticate themselves more often, that may hamper productivity and create a massive inconvenience for the agents.
Contact centers need automated MFA for various reasons, but it boils down to the ability to defend against modern cybersecurity threats. Attackers target contact center agents with clever social engineering attacks, allowing them to bypass even the most sophisticated security systems.
At the same time, manual authentication systems —even the most advanced solutions— inconvenience the agents so much that they become a security risk by exploring ways to ease security friction or bypass MFA internally. For instance, many attackers often use prompt bombing attacks, where they send countless prompts in a short time. Users unaware of this strategy may assume there’s a glitch in the system or that the IT department requires more frequent authentication and simply accepts the request to stop the notifications.
Contact centers need authentication solutions that require little to no effort from agents, continuously authenticate users, and can detect intruders before they can do any damage. Ideally, the system shouldn’t need additional hardware to reduce the deployment cost and comply with clean desk requirements.
In traditional MFA solutions, the agent is an active participant who enters a password or a code to authenticate themselves. With automated MFA, the authentication happens without any intervention from the agents. Often, the agents don’t even know that the system is authenticating them until there’s an issue.
Twosense uses behavior to authenticate agents automatically and continuously. The system builds a profile based on how the agent interacts with their computer and continuously compares user behavior against this model. If a behavioral mismatch occurs—indicating an intruder in the system— Twosense ends the session and turns to fallback MFA or other procedures dependant upon the security team's policies.
Admins can configure automated workflows when the system detects an intruder. For instance, the system can request the agent to use other forms of authentication or notify their manager to verify the agent’s identity.
Since the system is completely automated and requires no effort from the user, it verifies and authenticates agents continuously throughout the day–often 300+ times throughout any workday. This enhances security without compromising convenience.