Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Call center authentication and passkeys: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Call centres remain a soft target because attackers can bypass weak knowledge checks with social engineering, voice cloning, or support-desk impersonation, while modern authentication can cut call times and improve service, according to Authsignal. The governance lesson is that customer identity controls now need the same fraud resistance and assurance logic as digital channels.

NHIMG editorial — based on content published by Authsignal: How modern authentication is fixing call center security and customer experience

By the numbers:

Questions worth separating out

Q: How should security teams authenticate callers without creating too much friction?

A: Use phishing-resistant authentication before the call reaches an agent wherever the journey allows it, then reserve manual checks for exception handling and high-risk actions.

Q: Why do knowledge-based call center checks keep failing?

A: They fail because the answers are often discoverable, reusable, or inferable from breached data and public sources.

Q: When should organisations use step-up authentication in the phone channel?

A: Use step-up authentication when the request can change account ownership, reset credentials, expose sensitive records, or move money or services.

Practitioner guidance

  • Treat the help desk as an access control point Map every caller-facing workflow that can reset credentials, change account data, or approve elevated actions.
  • Replace knowledge-based checks with cryptographic proof where possible Use passkeys or other phishing-resistant methods before the call reaches an agent so that the strongest identity proof happens outside the social-engineering window.
  • Add step-up rules for high-risk transactions Require additional verification for billing changes, account recovery, contact detail updates, and other actions that can be abused after a successful impersonation attempt.

What's in the full article

Authsignal's full blog post covers the operational detail this post intentionally leaves for the source:

  • A closer look at pre-call authentication flows and how they reduce manual verification overhead in support operations.
  • Examples of passkey and biometric combinations used to strengthen caller assurance without extending handle time.
  • Practical ways to connect verified identity with smarter routing and faster resolution for high-value customer requests.

👉 Read Authsignal's analysis of call center authentication, passkeys, and biometric security →

Call center authentication and passkeys: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Call center authentication is now an identity control, not a customer service detail. The article shows that attackers are targeting the help desk because it can approve access changes that digital channels would otherwise protect. That makes the phone channel part of the IAM surface, with consequences for fraud, account recovery, and privileged support flows. Practitioners should govern it with the same seriousness they apply to password reset and step-up authentication paths.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: What is the difference between passkeys and voice biometrics for call center security?

A: Passkeys prove possession of a cryptographic credential tied to a specific service, while voice biometrics infer identity from a characteristic that can be copied or synthesised. That makes passkeys materially stronger against impersonation. Voice checks may still help as a signal, but they should not carry sole authority for sensitive actions.

👉 Read our full editorial: Call center authentication is becoming an identity security issue



   
ReplyQuote
Share: