Sometimes you only need to enter a simple password before you can gain access to a given application. In other cases, like when your user data or personal account information needs to be more protected, a single password is not enough.
One of the most common ways of adding an extra layer of security to the login process is to have a one-time password (OTPs) sent to your email or texted to your phone number. Other methods include biometric fingerprint scans and using dedicated authenticator apps that provide tokens or number-based codes on a rotating basis.
When you only need one form of credential for login verification, that’s called one-factor or single-factor authentication. This can simply be the combination of your username and password.
When you need a second credential in addition to your username and password, that’s known as two-factor authentication—or 2FA for short.
After 2FA comes MFA (multi-factor authentication), which requires a minimum of two credentials, often requiring two completely different credential types.
Finally, IVR authentication refers to the process of verifying a caller’s identity before allowing them access to an interactive voice response phone system. An example of IVR authentication is when you call an app’s customer service number and have to provide an assortment of credentials in order to proceed with the call and access the service menu that’s available to users.
For many IVRs, single or even two-factor authentication isn’t enough because neither of them is fully fraud-proof. Naturally, the authentication procedure that is least prone to fraud is multi-factor authentication.
Multi-Factor Authentication: The Procedure Least Prone to Fraud
Multi-factor authentication requires a caller to provide multiple forms of identity verification before they can gain access to account information or customer services.
In general, MFA uses three categories of authentication factors:
- Something the caller knows: This includes things like a password, account number, PIN code, or social security number.
- Something the caller has: This involves OTPs and time-based OTPs, which are acquired after requesting a passcode be sent to the user’s mobile device via their phone number or email address.
- Something the caller is: This includes biometric data, face ID, and a person’s voice.
Any one of these elements can serve as single-factor authentication, but MFA’s effectiveness comes from combining two or all three strategies during the authentication process.
IVRs and MFA
Here’s how MFA can work with an IVR system: Imagine a customer calls a customer service line and is greeted by a voice prompt that says, “Thank you for calling. Please enter your account number to proceed.”
When the caller enters their account number, this serves as an authentication factor within the category of something that the caller knows.
To proceed, the IVR checks with its CRM (customer relationship management) database to find the phone number associated with the account number entered. If there’s an existing match, the system sends a passcode to the phone number. Typically, the caller will then receive a 4-6 digit number on their mobile device.
When the system prompts the caller by saying something like, “Please provide the verification code sent to the phone number associated with this account,” entering the code serves as a secondary authentication factor, this time falling under the category of something that the caller has.
As a final step, the IVR system may analyze the caller’s voice and compare it to recordings from past interactions. Naturally, if there’s a match, this serves as the final MFA credential—something the caller is—and the caller can be sent through to a greeting message like, “Welcome! How can we assist you today?”
While this process may take a long time, it is also straightforward and secure, as long as you’re a legitimate customer.
Alternatively, this system may be extremely frustrating for a potential fraudster, even if they know your account number and password—because they would only be able to gain access if that were the only required means of authentication.
In fact, even if this potential fraudster had your account number, password, and your cell phone, MFA could still keep your account protected. Meanwhile, remember that your account might not be so lucky if your 2FA were set up to permit access after just a password and a verification code sent to the same phone used to request the code. If your phone is unlocked or your lock screen shows message details, your account could be compromised.
That said, if your 2FA or MFA requires biometrics as an extra layer of security, a fraudster will have a tough time replicating those credentials. In other words, good luck to anyone who needs your fingerprints or face ID.
Finding a Balance Between Security and Complexity
If you’ve gotten a new phone or computer recently, then you know how many hoops you have to jump through sometimes to gain access to all of your baseline levels of verification. If anything, this is proof that authentication processes—although complicated, slow, and frustrating at times—do a pretty good job of blocking unauthorized and unwarranted access.
In the same way, an IVR system that uses MFA does so because it’s an effective way to secure customer information. Any intruder will face extreme difficulty when trying to gain access to the IVR system. That said, with good MFA in place, the challenge of a good IVR configuration is not even the security of the system—it’s the time it takes for users to make it through each of the steps.
In other words, customers want their accounts to be secure, but they also don’t want a login process that is so slow that it hinders their experience. Therefore, there must be a balance between the intensity of security and customer satisfaction.
To speed up the process, a well-designed system will often have clear and concise prompts to guide customers through the authentication process. In some cases, they may even delay the third authentication factor until there’s a highly sensitive interaction or access point. This way, users don’t have to go through the entire cumbersome process for every simple inquiry.
Lastly, if you’re setting up your IVR’s MFA for the first time, remember to give the customers some control by allowing them to select their preferred methods of verification. This can speed up the process for those who have easier access to certain information, devices, and other authentication tools.