Notifications
Clear all
Topic starter
22/06/2026 5:01 pm
TL;DR: Caller authentication shifts phone-based verification from knowledge questions to cryptographic device proof, using a push confirmation or session-bound Dynamic Identifier so spoofed caller ID, persuasion, and deepfake voice cannot complete the flow, according to Scramble ID. Static identity checks are no longer sufficient in contact-center recovery paths where attackers only need one successful exception.
NHIMG editorial — based on content published by Scramble ID: Caller Authentication (DID + app confirmation)
By the numbers:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 30.9% of organisations store long-term credentials directly in code.
Questions worth separating out
Q: How should security teams replace KBA in contact-center recovery flows?
A: Use device-bound verification instead of questions that attackers can guess, harvest, or coerce.
Q: Why do phone-based identity checks fail in account recovery?
A: They fail because the phone channel provides context, not proof.
Q: How can organisations measure whether caller authentication is working?
A: Measure containment rate, wrong-code rate, median time to verify, late confirmations, and the percentage of high-risk cases that complete without exception.
Practitioner guidance
- Remove KBA from high-risk recovery flows Eliminate security questions from password reset, payout change, and device recovery paths, then route those actions through device-confirmed verification with audit logging.
- Bind verification to a registered device and live session Use a cryptographic challenge that is approved only in the enrolled app and only for the current session, so replayed answers and spoofed calls cannot complete the flow.
- Instrument verification failure signals Track wrong-code spikes, late confirmations, retry pressure, and time-to-verify so fraud teams can spot coercion patterns and help-desk abuse early.
What's in the full article
Scramble ID's full article covers the operational detail this post intentionally leaves for the source:
- The exact IVR and app-confirmation flow for both the push path and the Dynamic Identifier fallback
- Implementation notes for webhook integration, callback handling, and live call state updates
- Script examples for agents and IVR prompts that reduce social engineering pressure during verification
- Metrics definitions for containment, wrong-code bursts, late confirmations, and time-to-verify
👉 Read Scramble ID's analysis of caller authentication with device proof →
Caller authentication with device proof: are KBA checks still viable?
Explore further
22/06/2026 5:14 pm
Caller authentication exposes the failure of phone-channel trust as an identity primitive. The control problem is not that the voice channel is noisy, but that it has been treated as a place where identity can be inferred from context, urgency, or familiarity. That model is too weak for recovery actions that can reset access, change payments, or unlock privileged workflows. Practitioners should treat voice as an untrusted transport until device-bound proof is completed.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Another finding from the Ultimate Guide to NHIs shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
A question worth separating out:
Q: Who should approve fallback access when device proof is unavailable?
A: Fallback access should be approved only by a separate control owner, not the same agent handling the call. If the organisation must allow exceptions, they should be slower, fully logged, and reviewed as privileged decisions because fallback paths are where attackers will concentrate pressure.
👉 Read our full editorial: Caller authentication with device proof closes contact center takeover
