Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Contact center authentication: is cryptographic proof replacing KBA?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Contact center authentication now has four realistic options, but only device-bound cryptographic proof is both phishing-resistant and low-friction, according to Scramble ID’s comparison of KBA, voice biometrics, OTP/MFA, and device verification. KBA is the weakest and most socially engineered path, while voice and OTP controls still leave gaps that identity teams need to close.

NHIMG editorial — based on content published by Scramble ID: Download PDF, Contact Center Authentication Methods Compared

Questions worth separating out

Q: How should security teams replace KBA in contact centre recovery flows?

A: Security teams should replace KBA with a proof method that binds the caller to an enrolled device, not to remembered facts.

Q: Why do contact centres need stronger caller verification than STIR/SHAKEN?

A: STIR/SHAKEN authenticates the calling number, not the person speaking.

Q: What breaks when voice biometrics is used as the only authentication factor?

A: The control breaks when the voice itself becomes easy to imitate, replay, or manipulate.

Practitioner guidance

  • Retire KBA from high-risk call flows Remove security questions from account recovery, password resets, and any request that can change recovery factors or access entitlements.
  • Make device-bound proof the default verification path Require an enrolled device to approve a live challenge before agents can complete sensitive actions.
  • Use voice biometrics only as a supplementary signal If biometrics remain in the flow, limit them to local confidence scoring or step-up triage.

What's in the full article

Scramble ID's full research covers the operational detail this post intentionally leaves for the source:

  • Side-by-side implementation guidance for KBA replacement, voice biometrics, OTP/MFA, and device-bound proof.
  • Caller journey examples that show how a verified device approval fits into live contact centre workflows.
  • Detailed comparison of privacy, spoofability, and handle-time trade-offs for each authentication method.
  • Migration steps for phasing out security questions without breaking legitimate recovery paths.

👉 Read Scramble ID's comparison of contact centre authentication methods →

Contact center authentication: is cryptographic proof replacing KBA?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

KBA is now an access control failure, not an authentication strategy: Security questions depend on knowledge that attackers can increasingly source before the call even begins. That assumption was tolerable when personal data was scarce, but it fails in a breach-saturated environment where answers are public, purchased, or inferred. The implication is that contact centre governance must stop treating KBA as an identity signal and start treating it as an exposed attack path.

A few things that frame the scale:

  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.

A question worth separating out:

Q: Who is accountable when a contact centre approves an unauthorised account change?

A: Accountability sits with the organisation that chose the verification model, not just the agent who followed it. If the workflow allowed social engineering, weak fallback rules, or unreliably verified callers to reach privileged actions, IAM, customer support, and fraud teams all share responsibility for the control design.

👉 Read our full editorial: Contact center authentication is shifting from KBA to cryptographic proof



   
ReplyQuote
Share: