Why Caller Authentication is a Better Way to Verify Identity on the Phone
Securing a user’s digital account takes an incredible amount of effort. Companies implement strong eIDs, multi-factor authentication, and layers of encryption. Every digital access point is secured.
But then the same user calls the company's support line…
To prove their identity, they might have to share their mother's maiden name, a first pet, or a street name. These "secrets" might be for sale on the dark web or readily available on their public Facebook profile. Suddenly, all advanced account protection hangs by that one, fragile thread.
The security of the phone line simply doesn't match the security online, and fraudsters are aware of this.
Why security questions are obsolete
The problem here is the outdated processes that call center agents must follow.
For decades, asking personal questions (knowledge-based authentication) was the standard. But that standard is now broken—here’s why:
- Personal “secrets” are no longer secret. Information like a birthplace or a school name is either shared willingly on social media or available for a few dollars in massive data breach packages. Simply put, the answers are out there.
- It's a bad user experience. Even legitimate users might forget the exact answer they gave years ago, which leads to a terrible support call where they're locked out of their account.
- Even voice biometrics are vulnerable. Some banks turn to voice recognition for increased security. But with generative AI, a criminal can now create a convincing deepfake clone of a person's voice from just a few seconds of audio scraped from a social media video. So this once-solid security measure is becoming increasingly easy to bypass.
A better way to verify identity on a phone call
Imagine a simple and secure process: While on the phone, the support agent triggers a notification to appear on the customer's smartphone.
The customer simply taps the notification, which opens their trusted eID app. Now they can simply approve the request in the usual way, with their face, fingerprint, or PIN code.
This shifts the entire security check from something easily stolen (knowledge) to something that requires physical possession. A criminal might find personal details online, but they cannot physically interact with the user's phone to approve a request in that moment. Stealing the user’s phone and their PIN code or biometrics takes much more effort.
Caller authentication has applications far beyond just stopping fraudulent bank transfers. Think about:
- Insurance: An agent can start a new claim, certain that they are speaking with the actual policyholder.
- Telecoms: SIM-swap attacks—a growing concern with devastating consequences—can be prevented.
- Healthcare: A clinic can ensure it’s discussing sensitive patient data with the actual patient.
How it works under the hood
Technically, caller authentication is built on a standard called CIBA (Client Initiated Backchannel Authentication) – a protocol that lets one device (the agent's computer) trigger authentication on another device (the user's phone).
The agent initiates the request, but the actual authentication—where the user proves their identity—happens in the secure environment of their own eID app. No secrets are transmitted over the phone line.
For a deeper dive into the standard, read our Introduction to Client Initiated Backchannel Authentication (CIBA).
Create trust in phone calls
Caller authentication prevents a simple phone conversation from destroying the trust a company has built up with its users online. This maintains a consistent level of security, no matter how a customer chooses to connect to the company.
Ready to make your support calls safer and simpler?
Caller authentication is already available with Norwegian and Swedish BankID, with the Danish MitID coming soon.
Start testing for free today or contact our sales team to learn more.
